如何保证Web Service的安全——通过SoapHeader来增强Web Service的安全性
1Web Service的实现步骤
(1)定义自己的SoapHeader派生类
/// <summary>
/// 定义自己的SoapHeader派生类
/// </summary>
public class MySoapHeader : System.Web.Services.Protocols.SoapHeader
{
private string _UserID = string.Empty;
private string _PassWord = string.Empty;
/// <summary>
/// 构造函数
/// </summary>
public MySoapHeader()
{
}
/// <summary>
/// 构造函数
/// </summary>
/// <param name="nUserID">用户ID</param>
/// <param name="nPassWord">加密后的密码</param>
public MySoapHeader(string nUserID, string nPassWord)
{
Initial(nUserID, nPassWord);
}
#region 属性
/// <summary>
/// 用户名
/// </summary>
public string UserID
{
get { return _UserID; }
set { _UserID = value; }
}
/// <summary>
/// 加密后的密码
/// </summary>
public string PassWord
{
get { return _PassWord; }
set { _PassWord = value; }
}
#endregion
#region 方法
/// <summary>
/// 初始化
/// </summary>
/// <param name="nUserID">用户ID</param>
/// <param name="nPassWord">加密后的密码</param>
private void Initial(string nUserID, string nPassWord)
{
UserID = nUserID;
PassWord = nPassWord;
}
/// <summary>
/// 验证用户名密码是否正确
/// </summary>
/// <param name="nUserID">用户ID</param>
/// <param name="nPassWord">加密后的密码</param>
/// <param name="nMsg">返回的错误信息</param>
/// <returns>用户名密码是否正确</returns>
private bool IsValid(string nUserID, string nPassWord, out string nMsg)
{
nMsg = "";
try
{
//判断用户名密码是否正确
if (nUserID == "admin" && nPassWord == "admin")
{
return true;
}
else
{
nMsg = "对不起,你无权调用此Web服务,可能有如下原因:\n 1.您的帐号被管理员禁用。\n 2.您的帐号密码不正确";
return false;
}
}
catch
{
nMsg = "对不起,你无权调用此Web服务,可能有如下原因:\n 1.您的帐号被管理员禁用。\n 2.您的帐号密码不正确";
return false;
}
}
/// <summary>
/// 验证用户名密码是否正确
/// </summary>
/// <returns>用户名密码是否正确</returns>
public bool IsValid(out string nMsg)
{
return IsValid(_UserID, _PassWord, out nMsg);
}
#endregion
}
/// 定义自己的SoapHeader派生类
/// </summary>
public class MySoapHeader : System.Web.Services.Protocols.SoapHeader
{
private string _UserID = string.Empty;
private string _PassWord = string.Empty;
/// <summary>
/// 构造函数
/// </summary>
public MySoapHeader()
{
}
/// <summary>
/// 构造函数
/// </summary>
/// <param name="nUserID">用户ID</param>
/// <param name="nPassWord">加密后的密码</param>
public MySoapHeader(string nUserID, string nPassWord)
{
Initial(nUserID, nPassWord);
}
#region 属性
/// <summary>
/// 用户名
/// </summary>
public string UserID
{
get { return _UserID; }
set { _UserID = value; }
}
/// <summary>
/// 加密后的密码
/// </summary>
public string PassWord
{
get { return _PassWord; }
set { _PassWord = value; }
}
#endregion
#region 方法
/// <summary>
/// 初始化
/// </summary>
/// <param name="nUserID">用户ID</param>
/// <param name="nPassWord">加密后的密码</param>
private void Initial(string nUserID, string nPassWord)
{
UserID = nUserID;
PassWord = nPassWord;
}
/// <summary>
/// 验证用户名密码是否正确
/// </summary>
/// <param name="nUserID">用户ID</param>
/// <param name="nPassWord">加密后的密码</param>
/// <param name="nMsg">返回的错误信息</param>
/// <returns>用户名密码是否正确</returns>
private bool IsValid(string nUserID, string nPassWord, out string nMsg)
{
nMsg = "";
try
{
//判断用户名密码是否正确
if (nUserID == "admin" && nPassWord == "admin")
{
return true;
}
else
{
nMsg = "对不起,你无权调用此Web服务,可能有如下原因:\n 1.您的帐号被管理员禁用。\n 2.您的帐号密码不正确";
return false;
}
}
catch
{
nMsg = "对不起,你无权调用此Web服务,可能有如下原因:\n 1.您的帐号被管理员禁用。\n 2.您的帐号密码不正确";
return false;
}
}
/// <summary>
/// 验证用户名密码是否正确
/// </summary>
/// <returns>用户名密码是否正确</returns>
public bool IsValid(out string nMsg)
{
return IsValid(_UserID, _PassWord, out nMsg);
}
#endregion
}
(2)添加基于SoapHeader验证的Web Service接口方法
/// <summary>
/// 7.7.1 通过SoapHeader来增强Web Service的安全性
/// </summary>
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[ToolboxItem(false)]
public class WebService_Soap : System.Web.Services.WebService
{
//声明Soap头实例
public MySoapHeader myHeader = new MySoapHeader();
bool ValidateIP(int UserID, out string exceptionInfo)
{
exceptionInfo = "";
string uip = HttpContext.Current.Request.UserHostAddress;
Common dal = new Common();
List<string> ips = dal.GetPermitIp(UserID);
if (ips == null || ips.Count == 0)
{
exceptionInfo = "调用Web服务的客户端IP未被允许,无法访问!";
return false;
}
if (ips.Contains(uip))
{
return true;
}
exceptionInfo = "调用Web服务的客户端IP未被允许,无法访问!";
return false;
}
//普通方法,不需要SoapHeader验证
[WebMethod(Description = "根据产品编号查询产品的价格")]
public string GetProductPrice(string ProductId)
{
Products pro = new Products();
return pro.GetPrice(ProductId);
}
//需要SoapHeader验证
[SoapHeader("myHeader")]
[WebMethod(Description = "根据产品编号查询产品的价格", EnableSession = true)]
public string GetProductPrice2(string ProductId)
{
string msg = "";
//验证是否有权访问
if (!myHeader.IsValid(out msg))
{
return msg;//返回错误信息
}
Products pro = new Products();
return pro.GetPrice(ProductId);
}
}
/// 7.7.1 通过SoapHeader来增强Web Service的安全性
/// </summary>
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[ToolboxItem(false)]
public class WebService_Soap : System.Web.Services.WebService
{
//声明Soap头实例
public MySoapHeader myHeader = new MySoapHeader();
bool ValidateIP(int UserID, out string exceptionInfo)
{
exceptionInfo = "";
string uip = HttpContext.Current.Request.UserHostAddress;
Common dal = new Common();
List<string> ips = dal.GetPermitIp(UserID);
if (ips == null || ips.Count == 0)
{
exceptionInfo = "调用Web服务的客户端IP未被允许,无法访问!";
return false;
}
if (ips.Contains(uip))
{
return true;
}
exceptionInfo = "调用Web服务的客户端IP未被允许,无法访问!";
return false;
}
//普通方法,不需要SoapHeader验证
[WebMethod(Description = "根据产品编号查询产品的价格")]
public string GetProductPrice(string ProductId)
{
Products pro = new Products();
return pro.GetPrice(ProductId);
}
//需要SoapHeader验证
[SoapHeader("myHeader")]
[WebMethod(Description = "根据产品编号查询产品的价格", EnableSession = true)]
public string GetProductPrice2(string ProductId)
{
string msg = "";
//验证是否有权访问
if (!myHeader.IsValid(out msg))
{
return msg;//返回错误信息
}
Products pro = new Products();
return pro.GetPrice(ProductId);
}
}
完整代码:
完整代码
(3)客户端调用具有SoapHeader的Web Service
protected void Page_Load(object sender, EventArgs e) {
//创建myService对象
ProductServiceSoap.WebService_Soap service = new ProductServiceSoap.WebService_Soap();
//创建soap头对象
ProductServiceSoap.MySoapHeader header = new ProductServiceSoap.MySoapHeader();
//设置soap头变量
header.PassWord = "admin";
header.UserID = "admin";
service.MySoapHeaderValue = header;
//调用web 方法
string strPrice = service.GetProductPrice2("001");
}
//创建myService对象
ProductServiceSoap.WebService_Soap service = new ProductServiceSoap.WebService_Soap();
//创建soap头对象
ProductServiceSoap.MySoapHeader header = new ProductServiceSoap.MySoapHeader();
//设置soap头变量
header.PassWord = "admin";
header.UserID = "admin";
service.MySoapHeaderValue = header;
//调用web 方法
string strPrice = service.GetProductPrice2("001");
}
