Build Secure Web Services With SOAP Headers and Extensions
原文如下:
文章详细说了SOAPHeader使用的两种方式。我认为文中进行的验证都几乎就是明文传送的。加上一个body签名我认为是必要的。
string sign = HttpContext.Current.Request.Headers["sign"];
文章的内容,再加上上面这一句,我就能改造了。
摘录我最想要的Extensions部分。
<%@ WebService Language="C#" Class="QuoteService" %> using System; using System.Web.Services; using System.Web.Services.Protocols; [WebService ( Name="Quote Service", Description="Provides instant stock quotes to registered users" )] public class QuoteService { public AuthHeader Credentials; [AuthExtension] [SoapHeader ("Credentials", Required=true)] [WebMethod (Description="Returns the current stock price")] public decimal GetQuote (string symbol) { if (symbol.ToLower () == "msft") return 55.0m; else if (symbol.ToLower () == "intc") return 32.0m; else throw new SoapException ("Unrecognized symbol", SoapException.ClientFaultCode); } } public class AuthHeader : SoapHeader { public string UserName; public string Password; } [AttributeUsage (AttributeTargets.Method)] public class AuthExtensionAttribute : SoapExtensionAttribute { int _priority = 1; public override int Priority { get { return _priority; } set { _priority = value; } } public override Type ExtensionType { get { return typeof (AuthExtension); } } } public class AuthExtension : SoapExtension { public override void ProcessMessage (SoapMessage message) { if (message.Stage == SoapMessageStage.AfterDeserialize) { //Check for an AuthHeader containing valid //credentials foreach (SoapHeader header in message.Headers) { if (header is AuthHeader) { AuthHeader credentials = (AuthHeader) header; if (credentials.UserName.ToLower () == "jeff" && credentials.Password.ToLower () == "imbatman") return; // Allow call to execute break; } } // Fail the call if we get to here. Either the header // isn't there or it contains invalid credentials. throw new SoapException ("Unauthorized", SoapException.ClientFaultCode); } } public override Object GetInitializer (Type type) { return GetType (); } public override Object GetInitializer (LogicalMethodInfo info, SoapExtensionAttribute attribute) { return null; } public override void Initialize (Object initializer) { } }