惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy International News Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Attack and Defense Labs
Attack and Defense Labs
S
Secure Thoughts
V2EX - 技术
V2EX - 技术
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
O
OpenAI News
Cloudbric
Cloudbric
Google Online Security Blog
Google Online Security Blog
Schneier on Security
Schneier on Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Help Net Security
Help Net Security
Cyberwarzone
Cyberwarzone
G
GRAHAM CLULEY
L
Lohrmann on Cybersecurity
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Spread Privacy
Spread Privacy
NISL@THU
NISL@THU
N
News and Events Feed by Topic
T
Tenable Blog
S
Security @ Cisco Blogs
N
News and Events Feed by Topic
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
宝玉的分享
宝玉的分享
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google DeepMind News
Google DeepMind News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tailwind CSS Blog
V
Visual Studio Blog
P
Proofpoint News Feed
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 三生石上(FineUI控件)
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Jina AI
Jina AI
雷峰网
雷峰网
T
The Blog of Author Tim Ferriss
Hugging Face - Blog
Hugging Face - Blog
腾讯CDC
L
LangChain Blog
The Register - Security
The Register - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 聂微东

博客园 - YellowWee(端木柒)

Founders at Work: Stories of Startups' Early Days 创业初期的故事 生成自己站点的SiteMap 开通新博客,欢迎大家访问:http://www.yellowwee.com.cn [转载]Fix Your Site With the Right DOCTYPE Java Top Books 自定义DataContext类 [转载]Encrypting Configuration Information in ASP.NET 2.0 Applications 安装 Sql Server Query Visualizer - YellowWee(端木柒) 生活的五项调整 C# 中的扩展方法---Extension methods in C# 《架构师杂志》评述:Scott Guthrie 转自MSDN WPF/Every CTP 发布 使用虚拟机安装vista RTM 配置.net 3.0开发环境 如何在TableAdapter中使用Data Access Application Block的疑问?? 今年的 Jolt 大奖 胡汉三 归来 IssueVision 学习笔记(三)-----设计模式之OBSERVER(观察者)模式 IssueVision 学习笔记(二)-----为控件添加自定义属性和事件
IssueVision 学习笔记(一)-----使用SoapHeader传递Web Serivices自定义的身份验证数据
YellowWee(端木柒) · 2004-06-07 · via 博客园 - YellowWee(端木柒)

    在调用Web Serivices时,往往需要身份验证,使得通过验证的用户才能调用你Web Serivices中的方法.当然你可以通过将参数添加到每个需要自定义身份验证方案的Web services方法中去,这需要花费很大的精力.IssueVision 中使用了非常常用而且有效便捷的方法-----使用SoapHeader来实现自定义身份验证数据的传递.
     SoapHeader提供了一种方法,用于将数据传递到Web services方法或从Web services方法传递数据,条件是该数据不直接与Web services 方法的主功能相关. 你不用将参数添加到每个需要自定义身份验证方案的Web services 方法,而可以将引用从 SoapHeader 派生的类的 SoapHeaderAttribute 应用于每个Web services 方法。从 SoapHeader 派生的类的实现处理该自定义身份验证方案. IssueVision 就是利用SoapHeader的这种能力来实现自定义身份验证数据传递的.

     我们来看一下如何利用SoapHeader来传递数据.

    

1. 首先需要在服务中定义一个从 SOAPHeader 派生的类,表示传入 SOAP 标头的数据.
    IssueVision 在中IssueVisionWeb项目(此项目用于发布Web Services)中通过创建CredentialSoapHeader类来实现第一步.

CredentialSoapHeader.cs

using System.Web.Services.Protocols;

namespace IssueVision.Web
{
 public class CredentialSoapHeader : SoapHeader
 {
  private string m_username;
  private string m_password;

  public string Username
  {
   get{ return m_username;}

   set{ m_username = value;}
  }

  public string Password
  {
   get{ return m_password;}

   set{ m_password = value;}
  }
 }
}

   2. 将服务的公共字段声明为该类型,使该SoapHeader在Web Services的公共合同中公开,并在创建代理时可由客户端使用.

    IssueVision的Web Services----IssueVisionServices.asmx如此实现.

IssueVisionServices.asmx代码片断:

public class IssueVisionServices : WebService
 {
  ...
  private CredentialSoapHeader m_credentials;

  // custom SOAP header to pass credentials
  public CredentialSoapHeader Credentials
  {
     get { return m_credentials; }
     set { m_credentials = value; }
  }
  .......
}

    3. 在Web Services使用 SoapHeader 自定义属性定义一组关联的标头,服务中的每个 WebMethod 都可以使用.(默认情况下,标头是必需的,但也可以定义可选标头)

    IssueVisionServices.asmx代码片断:

  ....
  [WebMethod(Description="Returns the lookup tables for IssueVision.")]

[SoapHeader("Credentials")]
  public IVDataSet GetLookupTables()
  {
   SecurityHelper.VerifyCredentials(this);  
   return new IVData().GetLookupTables();
  }

    SecurityHelper类的VerifyCredentials方法用来从Web Services中的SoapHeader类来得到自定义身份验证凭据(如用户名和密码).

  SecurityHelper.cs代码片断如下:

// verifies the clients credentials
  public static void

VerifyCredentials(IssueVisionServices service)
  {
   if (service.Credentials == null || service.Credentials.Username == null || service.Credentials.Password == null )   //如果没有认证信息,返回SoapException,这样就不能匿名调用Web Method了
   {
    EventLogHelper.LogFailureAudit("A login was attempted with missing credential information.");
    throw new SoapException(string.Empty, SoapException.ClientFaultCode, "Security");
   }

   string password = Authenticate(service.Credentials);
  }

  // authenticates a user's credentials passed in a custom SOAP header
  private static string Authenticate( CredentialSoapHeader header)
  {
   DataSet dataSet = new DataSet();
   string dbPasswordHash;

   try
   {
    SqlConnection conn = new SqlConnection(Common.ConnectionString);
    SqlCommand cmd = new SqlCommand("GetUser", conn);
    cmd.Parameters.Add("@UserName", header.Username);
    cmd.CommandType = CommandType.StoredProcedure;
    SqlDataAdapter da = new SqlDataAdapter(cmd);
    da.Fill(dataSet);
   }
   catch (Exception ex)
   {
    EventLogHelper.LogFailureAudit(string.Format("The GetUser stored procedure encounted a problem: {0}", ex.ToString()));
    throw new SoapException(string.Empty, SoapException.ServerFaultCode, "Database");
   }
   
   // does the user exist?
   if (dataSet.Tables[0].Rows.Count == 0)
   {
    EventLogHelper.LogFailureAudit(string.Format("The username {0} does not exist.", header.Username));
    throw new SoapException(string.Empty, SoapException.ClientFaultCode, "Security");
   }
   else
   {
    // we found the user, verify the password hash by compare the Salt + PasswordHash
    DataRow dataRow = dataSet.Tables[0].Rows[0];
    dbPasswordHash = (string)dataRow["PasswordHash"];
    string dbPasswordSalt = (string)dataRow["PasswordSalt"];

    // create a hash based on the user's salt and the input password
    string passwordHash = HashString(dbPasswordSalt + header.Password);

    // does the computed hash match the database hash?
    if (string.Compare(dbPasswordHash, passwordHash) != 0)
    {
     EventLogHelper.LogFailureAudit(string.Format("The password for the username {0} was incorrect.", header.Username));
     throw new SoapException(string.Empty, SoapException.ClientFaultCode, "Security");
    }
   }
   
   return dbPasswordHash;
}

  4. 最后客户端在调用要求标头的方法之前,需直接在代理类上设置标头.

  IssueVision 的SmartClient端的WebServicesLayer类来调用此Web Services

  WebServicesLayer.cs程序片断如下:

private static IssueVisionServices GetWebServiceReference(

string username, string password)
  {
   IssueVisionServices dataService = new IssueVisionServices();
   
   //<ReplaceWithWse>
   CredentialSoapHeader header = new CredentialSoapHeader();
   header.Username = username;
   header.Password = password;
   dataService.CredentialSoapHeaderValue = header;
   //</ReplaceWithWse>
   
   InitWebServiceProxy(dataService);
   
   return dataService;
}

   通过以上步骤就可以完成Web Services自定义身份验证了.IssueVision中还有很多相关的操作,因为在这里只是讨论一下SoapHeader的用法,就不在列举了.
   鄙人见识就这么多了,欢迎大家讨论,提出新的看法.

CopyRight © YellowWee 2004. All Right Reserved.