呼叫webservice 的安全性
#1.使用IP限制(IIS)
#2.使用NT認證
#3.使用SOAP Header自訂帳號密碼
以下介紹#3
1.自訂帳號密碼類別
public class AuthHeader : SoapHeader
{
public string UserName;
public string Password;
}
2.1 service端
呼叫web method執行驗證
/// <summary>
/// WebService 的摘要描述
/// </summary>
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
// 若要允許使用 ASP.NET AJAX 從指令碼呼叫此 Web 服務,請取消註解下列一行。
// [System.Web.Script.Services.ScriptService]
public class WebService1 : System.Web.Services.WebService
{
public AuthHeader AuthHeader;
[SoapHeader("AuthHeader")]
[WebMethod]
public Result HelloWorld(string userId)
{
var result = CheckUser(AuthHeader);
if (result.ErrCode == "00")
{
var msg = string.Format("hello,{0}", userId);
return new Result("00", msg);
}
else
{
return result;
}
}
private Result CheckUser(AuthHeader authHeader)
{
if (authHeader == null)
{
return new Result("99", "Header認證有誤!");
}
else
{
var user = authHeader.UserName;
var password = authHeader.Password;
if ((user == "mike") && (password == "1234"))
{
return new Result("00", "");
}
if ((user == "john") && (password == "5678"))
{
return new Result("00", "");
}
}
return new Result("98", "帳號或密碼有誤!");
}
}
2.1 呼叫端
//=======================================================
//呼叫正常
//=======================================================
wsAuthWS.WebService1 ws = new wsAuthWS.WebService1();
wsAuthWS.AuthHeader header = new wsAuthWS.AuthHeader() ;
header.UserName = "mike";
header.Password = "1234";
ws.AuthHeaderValue = header;
ws.Url = Url;
var result=ws.HelloWorld("Mike");
Assert.IsTrue(result.ErrCode == "00");
Assert.IsTrue(result.ErrMessage.IndexOf("Mike") >= 0);
//=======================================================
//沒有權限,密碼錯誤
//=======================================================
wsAuthWS.WebService1 wsNoAuth = new wsAuthWS.WebService1();
wsAuthWS.AuthHeader headerNoAuth = new wsAuthWS.AuthHeader();
headerNoAuth.UserName = "mike";
headerNoAuth.Password = "12341";
wsNoAuth.AuthHeaderValue = headerNoAuth;
wsNoAuth.Url = Url;
var resultNoAuth = wsNoAuth.HelloWorld("mike");
Assert.IsTrue(resultNoAuth.ErrCode == "98");
Assert.IsTrue(resultNoAuth.ErrMessage.IndexOf("帳號或密碼有誤") >= 0);
//=======================================================
//認證header有誤
//=======================================================
wsAuthWS.WebService1 wsNoHeader= new wsAuthWS.WebService1();
var resultNoHeaer = wsNoHeader.HelloWorld("mike");
wsNoHeader.Url = Url;
Assert.IsTrue(resultNoHeaer.ErrCode == "99");
Assert.IsTrue(resultNoHeaer.ErrMessage.IndexOf("認證有誤") >= 0);