Of Stack

ASP. NET Security Implementation Access Control

  • 2021-07-26 07:22:08
  • OfStack

1. Overview:

Web Services is an online application service released by an enterprise to fulfill its specific business needs. Other companies or applications can access and use this online service through Internet. Each application program accesses Web Service through network protocol and some standard data formats (Http, XML, Soap), and gets the desired results through the internal execution of Web Service. Because it is called through internet, there must be a security problem that can be called by network users. How to realize the access restriction of webservice is an important problem faced by users who use webservice. Below, two schemes are given to solve the above problems from shallow to deep.

2. Simple method based on "soapheader" feature

1. Overview of soapheader

The SOAP header provides a method for passing data to or from the XML Web services method, provided that the data is not directly related to the main functionality of the XML Web services method. In most cases, it is used to transmit user authentication information. Of course, its role is far more than that, which needs to be discovered in practical applications.

2. soapheader implements user authentication code 


using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
namespace UserCenter
{
  public class MySoapHeader :SoapHeader
  {
    public string UserName
    {
      get;
      set;
    }
    public string PWD
    {
      get;
      set;
    }
  }
  /// <summary>
  /// MyMath  Summary description of 
  /// </summary>
  [WebService(Namespace = "http://tempuri.org/")]
  [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
  [System.ComponentModel.ToolboxItem(false)]
  //  To allow the use of  ASP.NET AJAX  Invoke this from a script  Web  Service, please uncomment on the following link. 
  // [System.Web.Script.Services.ScriptService]
  public class MyMath : System.Web.Services.WebService
  {
    public MySoapHeader sHeader;
    [WebMethod]
    public string HelloWorld()
    {
      return "Hello World";
    }
    [WebMethod]
    [SoapHeader("sHeader")]
    public string add(int x, int y)
    {
      if (sHeader.UserName == "test" && sHeader.PWD == "test")
      {
        return (x + y).ToString();
      }
      else
      {
        return null;
      }
    }
  }
}

3. Disadvantage analysis:

(1) Service logic and user authority verification logic are mixed, which increases the complexity of program understanding.
(2) The reusability of permission logic is not high

2. Method based on "SoapExtensionAttribute" feature

1. Overview of SoapExtensionAttribute and SoapExtension

SoapExtension and SoapExtensio. Attribute two classes are used to control the serialization and deserialization of webservice, and can control the compression and logging functions of webservice.

2. Implementation code 


using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using System.Web.Services;

using System.Web.Services.Protocols;

namespace XMLClass1.class15.content

{

  [AttributeUsage(AttributeTargets.Method)]

  public class MyExtensionAttribute : SoapExtensionAttribute

  {

    int _priority = 1;

    public override int Priority

    {

      get { return _priority; }

      set { _priority = value; }

    }

    public override Type ExtensionType

    {

      get { return typeof(MyExtension); }

    }

  }

  public class MyExtension : SoapExtension

  {

    // This override The method of will be called 4 Times 

    // They are SoapMessageStage BeforeSerialize,AfterSerialize,BeforeDeserialize,AfterDeserialize

    public override void ProcessMessage(SoapMessage message)

    {

      if (message.Stage == SoapMessageStage.AfterDeserialize)// Post-deserialization processing 

      {

        bool check = false;

        foreach (SoapHeader header in message.Headers)

        {

          if (header is MySoapHeader)

          {

            MySoapHeader myHeader = (MySoapHeader)header;

            if (myHeader.Name == "admin" || myHeader.PassWord == "admin")

            {

              check = true;

              break;

            }

          }

        }

        if (!check)

          throw new SoapHeaderException(" Authentication failure ", SoapException.ClientFaultCode);

      }

    }

    public override Object GetInitializer(Type type)

    {

      return GetType();
       }

    public override Object GetInitializer(LogicalMethodInfo info, SoapExtensionAttribute attribute)

    {

      return null;

    }

    public override void Initialize(Object initializer)

    {

    }

  }

  public class MySoapHeader : SoapHeader

  {

    string _name;

    string _passWord;

    public string Name

    {

      get { return _name; }

      set { _name = value; }

    }

    public string PassWord

    {

      get { return _passWord; }

      set { _passWord = value; }

    }

  }

  /// <summary>

  /// headersoap2  Summary description of 

  /// </summary>

  [WebService(Namespace = http://tempuri.org/)]

  [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]

  [System.ComponentModel.ToolboxItem(false)]

  //  To allow the use of  ASP.NET AJAX  Invoke this from a script  Web  Service, please uncomment on the following link. 

  // [System.Web.Script.Services.ScriptService]

  public class headersoap2 : System.Web.Services.WebService

  {

     public MySoapHeader header;

    [WebMethod]

    [MyExtensionAttribute]

    [SoapHeader("header", Direction = SoapHeaderDirection.In)]

    public string CheckHeader()

    {

      // Business logic .

      return "Something done";

    }

  }
}
Related articles: