开发者

Restrict methods of a WCF service from unauthorized (unwanted) user access

开发者 https://www.devze.com 2023-03-07 06:42 出处:网络
I\'m wondering how I can restrict some methods from unauthorized user access. Let\'s assume I have a WCF service with the following contract:

I'm wondering how I can restrict some methods from unauthorized user access. Let's assume I have a WCF service with the following contract:

开发者_C百科
int Login(string username, string password);
Invoice[] GetCustomersInvoices(int customerId);

A user should act in the following way:

  1. Login to verify against the service and get his custumerId
  2. fetch his invoices by invoking the corresponding method with his customerId

Well, that's maybe a stupid question, but what if customerA's id is 23, but somehow customerA knows customerB's id, which is 42. Now customerA could read customerB's secret invoice data... What could I best do to avoid this?


You shouldn't use a single id for identifying someone. There are many ways of enabling authn/authz in WCF, I like the article at http://msdn.microsoft.com/en-us/magazine/cc948343.aspx for a good introduction on some ways of doing it.


Your current approach of calling methods will only work if you are able to implement secure(persistent) channel between client and server using SSL or any other such mode (typical scenario would be Baking Payments Getaways)

So IMO you need to implement your user authentication inside the method (no separate calls). i.e. you have to pass userid and password along with invoiceid to GetCustomersInvoices() method and inside it you need to authenticate the user and retrieve the data.

Following would be solution for such scenario,

  1. Implement your own User Name Password Validations (custom usernameathentication), which will first authenticate the user and than it will call the method given. Since this will happen in one request so it will solve your problem. Typical service method call would be like,

     Service.UserName = "abc"
     Service.Password = "***"
     Service.GetInvoiceDetails(1233)
    
  2. You can get the use of Message Headers and Body to pass your custom values, Webservices support such scenario where you can pass encrypted data in SOAP headers.

  3. Alternatively you can use Certificates also, but these are not free.

In general you can go through following links to get more info in various kinds of security WCF supports,

http://msdn.microsoft.com/en-us/library/ms731925.aspx

0

精彩评论

暂无评论...
验证码 换一张
取 消