Asp. NET in WebService security Implementation access control _ practical skills

First, overview:

WEB Services is an online application service published by an enterprise that completes its specific business needs, and other companies or applications can access and use the online service over the Internet. It logically provides data and services for other applications. Each application accesses the Web service through network protocols and some of the standard data formats (HTTP,XML,SOAP) required to obtain the desired results through the internal execution of the Web service. Because it is invoked over the Internet, there must be security issues that network users can invoke. How to achieve WebService access restrictions, is the use of WebService users face important problems, the following two schemes, from shallow to deep to solve the above problems.

Second, the simple method based on "SoapHeader" characteristic

1. "SoapHeader" Overview

The SOAP header provides a way to pass data to an XML Web services method or to pass data from an XML Web services method, provided that the data is not directly related to the main function of the XML Web services method. In most cases it is used to pass the user authentication information, of course, its function is far more than that, waits to discover in the practical application.

2.soapheader Implementing user authentication Code

Using System;
Using System.Collections.Generic;
Using System.Linq;
Using System.Web;
Using System.Web.Services;
Using System.Web.Services.Protocols;
      Namespace Usercenter {public class Mysoapheader:soapheader {public string UserName {get;
    Set
      public string PWD {get;
    Set
  ///<summary>///MyMath Summary description///</summary> [WebService (Namespace = "http://tempuri.org/")]
  [WebServiceBinding (ConformsTo = wsiprofiles.basicprofile1_1)]
  [System.ComponentModel.ToolboxItem (FALSE)]//To allow the use of ASP.net AJAX to invoke this Web service from a script, uncomment the downlink. [System.Web.Script.Services.ScriptService] public class MyMath:System.Web.Services.WebService {public mysoap
    Header Sheader;
    [WebMethod] public string HelloWorld () {return ' Hello world '; [WebMethod] [SoapHeader ("Sheader")] public string Add (int x, int y) {if (Sheader.username = = "tes
    T "&& sheader.pwd = =" Test ")  {return (x + y).
      ToString ();
      else {return null;
 }
    }
  }
}

3. Disadvantages Analysis:

(1) The logic of service logic and user authorization are mixed, and the complexity of program comprehension is increased.
(2) The logical reusability of the privilege is not high

Second, based on "soapextensionattribute" Characteristics of the method

1.SoapExtensionAttribute and SoapExtension Overview

SoapExtension and Soapextensio. Attribute two classes are used to control the general process of WebService serialization and deserialization, and the webservice can be controlled by compression and logging functions.

2. Implementation code

Using System;

Using System.Collections.Generic;

Using System.Linq;

Using System.Web;

Using System.Web.Services;

Using System.Web.Services.Protocols;  namespace XMLClass1.class15.content {[AttributeUsage (AttributeTargets.Method)] public class Myextensionattribute:

    soapextensionattribute {int _priority = 1;

      public override int Priority {get {return _priority;}

    set {_priority = value;}

    public override Type ExtensionType {get {return typeof (Myextension);} The public class Myextension:soapextension {//This override method will be invoked four times//SoapMessageStage beforeserial 

      Ize,afterserialize,beforedeserialize,afterdeserialize public override void ProcessMessage (SoapMessage message) { if (message.

        Stage = = soapmessagestage.afterdeserialize)//deserialized after deserialization processing {bool check = false; foreach (SoapHeader header in message. Headers) {if (header is MysoapheadeR) {Mysoapheader MyHeader = (mysoapheader) header;

              if (myheader.name = "Admin" | | | myheader.password = = "Admin") {check = true;

            Break }} if (!check) throw new SoapHeaderException ("Authentication failed", SOAPEXCEPTION.CLIENTFAULTC

      ODE);
       } public override Object GetInitializer (type type) {return GetType (); public override Object GetInitializer (logicalmethodinfo info, SoapExtensionAttribute attribute) {retur

    n null;

  public override void Initialize (Object initializer) {}} public class Mysoapheader:soapheader

    {string _name;

    String _password;

      public string Name {get {_name;}

    set {_name = value;}

      public string PassWord {get {return _password;}

    set {_password = value;} }}///<summary> HEADERSOAP2 's summary description///</summary> [WebService (Namespace = http://tempuri.org/)] [WebServiceBinding (Confo Rmsto = wsiprofiles.basicprofile1_1)] [System.ComponentModel.ToolboxItem (false)]//To allow the use of ASP.net AJAX to call this Web from script

  Service, uncomment the downlink. [System.Web.Script.Services.ScriptService] public class Headersoap2:System.Web.Services.WebService {Publ

    IC Mysoapheader header;

    [WebMethod]

    [Myextensionattribute]

      [SoapHeader ("header", Direction = soapheaderdirection.in)] public string Checkheader () {//business logic.

    Return to "something done";

 }

  }
}

The above is the security of all the contents of the WebService, I hope to give you a reference, but also hope that we support the cloud-dwelling community.