Asp. NET WebService security for access control

First, overview:

WEB Services is an online application service published by an enterprise that accomplishes its specific business needs, and other companies or applications can access and use the online service over the Internet. It logically provides data and services to other applications. Each application accesses the Web service through a network protocol and some standard data formats (HTTP,XML,SOAP), resulting in the desired results through a Web service internal execution. Because it is called over the Internet, there must be security issues that network users can invoke. How to implement WebService access restrictions, is the use of WebService users facing important issues, the following two scenarios, from shallow to deep to solve the problem.

Second, a simple method based on "SoapHeader" characteristic

1. "SoapHeader" Overview

The SOAP header provides a way to pass data to an XML Web services method or to pass data from an XML Web services method, provided that the data is not directly related to the main functionality of the XML Web services method. In most cases, it is used to pass on user authentication information, of course it is far more than that, and it needs to be explored in practical applications.

2.soapheader Implementing user authentication Code

Using system;using system.collections.generic;using system.linq;using system.web;using System.Web.Services;using    System.web.services.protocols;namespace usercenter{public class Mysoapheader:soapheader {public string UserName      {get;    Set      } public string PWD {get;    Set }}///<summary>//MyMath Summary description///</summary> [WebService (Namespace = "http://tempuri.org/")] [webse Rvicebinding (ConformsTo = wsiprofiles.basicprofile1_1)] [System.ComponentModel.ToolboxItem (false)]//To allow the use of ASP.  AJAX calls this Web service from the script, uncomment the downstream. [System.Web.Script.Services.ScriptService] public class MyMath:System.Web.Services.WebService {public Mysoaphea    Der Sheader;    [WebMethod] public string HelloWorld () {return ' Hello world '; } [WebMethod] [SoapHeader ("Sheader")] public string Add (int x, int y) {if (Sheader.username = = "Test" &A mp;& sheader.pwd = = "Test") {return (x + y).      ToString ();} else {return null; }    }  }}

3. Disadvantage Analysis:

(1) Service logic and user authorization logic mix, increase the complexity of program understanding.
(2) The logical reusability of permissions is not high

Second, based on the "SoapExtensionAttribute" Characteristics of the method

1.SoapExtensionAttribute and SoapExtension Overview

SoapExtension and Soapextensio. The attribute two classes are used to control the general process of WebService serialization and deserialization, and can be controlled by functions such as compression and logging webservice.

2. Implementing the Code

Using System; Using System.Collections.Generic; Using System.Linq; Using System.Web; Using System.Web.Services; Using System.Web.Services.Protocols; namespace XMLClass1.class15.content {[AttributeUsage (AttributeTargets.Method)] public class Myextensionattribute:so     apextensionattribute {int _priority = 1;       public override int Priority {get {return _priority;}     set {_priority = value;}     } public override Type ExtensionType {get {return typeof (Myextension);} }} public class Myextension:soapextension {//This override method will be called four times//SoapMessageStage respectively Beforeserialize,a       Fterserialize,beforedeserialize,afterdeserialize public override void ProcessMessage (SoapMessage message) { if (message.         Stage = = soapmessagestage.afterdeserialize)//deserialization after processing {bool check = false; foreach (SoapHeader header in message. Headers) {if (header is Mysoapheader) {MysoaphEader MyHeader = (mysoapheader) header;               if (Myheader.name = = "Admin" | | myheader.password = = "Admin") {check = true;             Break }}} if (!check) throw new SoapHeaderException ("Authentication failed", Soapexception.clientfaultcode)       ;       }} public override Object GetInitializer (type type) {return GetType (); } public override Object GetInitializer (logicalmethodinfo info, SoapExtensionAttribute attribute) {return n     Ull     public override void Initialize (Object initializer) {}} public class Mysoapheader:soapheader {     string _name;     String _password;       public string Name {get {return _name;}     set {_name = value;}       } public string PassWord {get {return _password;}     set {_password = value;} }}///<summary>//HEADERSOAP2 Summary description///</summary> [WebService (Namespace =http://tempuri.org/)] [webservicebinding (ConformsTo = wsiprofiles.basicprofile1_1)] [   System.ComponentModel.ToolboxItem (FALSE)]//To allow the use of ASP. NET AJAX to invoke this Web service from the script, uncomment the downstream. [System.Web.Script.Services.ScriptService] public class Headersoap2:System.Web.Services.WebService {public     Mysoapheader header;     [WebMethod]     [Myextensionattribute]       [SoapHeader ("header", Direction = soapheaderdirection.in)] public string Checkheader () {//business logic.     Return "Something done"; }   }}

Above is WebService security settings all content, hope to give you a reference, but also hope that we support topic.alibabacloud.com.