In a rest-based WCF Service, it is not as simple as a general WCF Service binding and has a supporting security mode. Rest WCF services can only be encrypted at the transport layer, while general WCF services can be encrypted at the message layer. Therefore, after the ASP. NET compatibility mode is enabled for the rest WCF Service, ASP. NET guarantees its security. This article describes how to implement the simplest username verification in rest WCF.
In the soap-based WCF, you can use soapheader (messageheader) to transmit user names and passwords. We have used it as early as in the Web Service era. In rest WCF, we can use httpheader to accomplish this goal. (You don't want to add the user and Password parameters in each service contract ...)
First, add the following method to the service for verification. header information: if the authorization string in the header is not "fangxing/123", the error 405 methodnotallowed will be returned. The content of this string can be customized. The server checks the string according to certain rules.
Private bool checkauthorization () <br/>{< br/> var CTX = weboperationcontext. current; <br/> var auth = CTX. incomingrequest. headers [httprequestheader. authorization]; <br/> If (string. isnullorempty (auth) | auth! = "Fangxing/123") <br/>{< br/> CTX. outgoingresponse. statuscode = httpstatuscode. methodnotallowed; <br/> return false; <br/>}< br/> return true; <br/>}
Then it is called in the implementation of each service contract.
[Webget (uritemplate = "all")]
Public list <task> gettask ()
{
If (!Checkauthorization())
Return NULL;
Return getdata ();
}
[Webget (uritemplate = "{taskid}")]
Public task gettaskbyid (string taskid)
{
If (!Checkauthorization())
Return NULL;
Return getdata (). firstordefault (t => T. ID = taskid );
}
If the current service is accessed directly through a browser, the error 405 methodnotallowed will be returned:
The client only needs to add the corresponding authentication token to the requestheader to access it. Clients can design client objects in singleton mode.
In this way, you do not need to add verification information for each call.
VaR url = "http: // localhost: 3433/taskservice/all"; <br/> var client = new httpclient (); <br/> client. defaultheaders. add ("Authorization", "fangxing/123"); <br/> var resp = client. get (URL );
* Here Microsoft. http. httpclient (WCF rest starter kit) is used instead of system. net. WebClient.
Looking back at the server code, you must addCheckauthorization() Is it annoying?
OK. We know that the rest WCF Service is hosted on a Web application and the service object is activated by registering webservicehostfactory in routetable. You only need to do some "Hands and feet" on this webservicehostfactory to implement unified interception of server verification. The Code is as follows. (Generally, WCF can also use this method to intercept and verify messageheader)
Public class securewebservicehostfactory: webservicehostfactory <br/>{< br/> protected override servicehost createservicehost (type servicetype, Uri [] baseaddresses) <br/> {<br/> var host = base. createservicehost (servicetype, baseaddresses); <br/> host. authorization. serviceauthorizationmanager = new myserviceauthorizationmanager (); <br/> return host; <br/>}</P> <p> Public override servicehostbase Createservicehost (string constructorstring, Uri [] baseaddresses) <br/>{< br/> var host = base. createservicehost (constructorstring, baseaddresses); <br/> host. authorization. serviceauthorizationmanager = new myserviceauthorizationmanager (); <br/> return host; <br/>}</P> <p> public class myserviceauthorizationmanager: serviceauthorizationmanager <br/>{< br/> protected override bool checka Ccesscore (operationcontext) <br/>{< br/> var CTX = weboperationcontext. current; <br/> var auth = CTX. incomingrequest. headers [httprequestheader. authorization]; <br/> If (string. isnullorempty (auth) | auth! = "Fangxing/123") <br/>{< br/> CTX. outgoingresponse. statuscode = httpstatuscode. methodnotallowed; <br/> return false; <br/>}< br/> return true; <br/>}< br/>}
Modify the factory class in registerroutes as follows:
VaR securewebservicehostfactory = new securewebservicehostfactory (); <br/> routetable. routes. Add (New serviceroute ("taskservice", <br/> securewebservicehostfactory, typeof (taskservice )));
In this way, the server code can be removed.Checkauthorization() And the verification work is handed over to securewebservicehostfactory.
This verification method is also the prototype of Windows auzer access control. However, this authoriztion service is dedicated services.
1. The client first obtains the token from the service that issued the token; 2. The client submits the token to the current service; 3. The server obtains the client token to the service that issued the token for verification.
Source code download: http://download.csdn.net/download/fangxinggood/3686322
[Rest WCF series]
Restful WCF Services (1) (Getting Started)
Restful WCF services (2) (implement add, delete, modify, and query)
Restful WCF services (3) (raw Stream)
Restful WCF Services (4) (Basic Security)
Restful WCF services (Instance) (concurrent Synchronization Service syncservice)