我拥有创建 ASP.net/WinForms 应用程序的经验,

提前感谢您阅读了新加入的文本块。 我的问题是设计而不是实际的编码问题。

我的目标是:

• Create a Web Service (using WCF) whose purpose is the management of tasks/todo lists
• The Web Service will allow users to register for an account, create new to do lists, share to do lists with other users etc
• After the Web Service is functional 和 everything is implemented I want to be able to layer an ASP.NET website on top of it 和 use the Web Service for the backend

目前,我有以下内容:

• 1 console application hosting the web service
• 1 console application (client) used to make to calls to the web service (I test my Web Service this way)

Web Service 应用程序有以下配置文件( 希望我能贴上) :

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <connectionStrings>
    <add name="Tasker_Server.Properties.Settings.TaskerConnectionString"
      connectionString="Data Source=PROPHETSQLEXPRESS;Initial Catalog=Tasker;Persist     Security Info=True;User ID=sa;Password=stf"
  providerName="System.Data.SqlClient" />
  </connectionStrings>
  <system.serviceModel>
    <services>
      <service name="Tasker_Server.TaskerService" behaviorConfiguration="TaskerServiceBehavior">
        <host>
          <baseAddresses>
             <add baseAddress="http://localhost:8000/TaskerTest/Service" />
          </baseAddresses>
        </host>
        <endpoint name="login" address="username" binding="wsHttpBinding"
              bindingConfiguration="Binding1"
              contract="Tasker_Server.ITasker" />
        <endpoint name="reg" address="reg" binding="wsHttpBinding"
              bindingConfiguration="Binding2"
              contract="Tasker_Server.Contracts.IRegister" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="Binding1" receiveTimeout="00:20:00">
          <security mode="Message">
            <message clientCredentialType="UserName"/>
          </security>
        </binding>
        <binding name="Binding2">
          <security mode="None">
            <transport clientCredentialType="None" />
            <message establishSecurityContext="false" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="TaskerServiceBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom"
                                customUserNamePasswordValidatorType="Tasker_Server.CustomValidator, Tasker_Server" />
            <serviceCertificate findValue="localhost"
                            storeLocation="LocalMachine"
                            storeName="My"
                            x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

我开始网络服务 像这样:

ServiceHost selfHost = new ServiceHost(typeof(TaskerService));

try {
    selfHost.Open();
    Console.WriteLine("Service is up... (press <ENTER> to terminate)");
    Console.ReadLine();

    selfHost.Close();
}
catch (CommunicationException ce) {
    Console.WriteLine("Exception: {0}", ce.Message);
    Console.ReadLine();
    selfHost.Abort();
}

目前我只有两份合同:

[ServiceContract(Namespace="http://Tasker_Server")]
public interface ITasker {
    [OperationContract]
    string CheckCredentials(string username, string password);
}

和

[ServiceContract(Namespace="http://Tasker_Register")]
public interface IRegister {
    [OperationContract]
    string RegisterUser(string username, string password, string email);
}

我试图做到的如下:

1. Offer an unsecured endpoint; clients can invoke this 和 register an account.
2. Offer a secured endpoint (I use UserName authentication with a custom UserNamePasswordValidator) through which users can "login" 和 invoke all the operations.

Both these things in my software work right now. I can register a new account through an unsecured endpoint 和 I can invoke the secure endpoint by providing the correct ClientCredentials in the client.

我的问题如下:

1. From what I underst和, by using UserName authentication, the Validation method in my custom validator will be called each time the client invokes a Web Service method (this means that a DB query will run each time to check the credentials as opposed to a website where you login once until your session expires). Is there something fundamentally wrong with doing things this way?

2. I thought of another possible way to manage this (和 in a way simulate how a website would work):

   • Use a secure endpoint (UserName authentication) only for an operation similar to a "login"
   • If the credentials are correct I create a new GUID, save it in memory 和 make an association between an username 和 that guid.
   • then all the operations will not require UserName authentication but will have an additional parameter (the GUID): if the GUID is in memory 和 associated with a user then the operation is permitted
   • The logout operation would destroy the GUID in memory.
   • I would assume that I can use SSL on top of this so that the GUID won t be sent in clear
   • does this defeat the purpose of Web Service security 和 I m just trying to reinvent the wheel?

哪种方法会更好?

<强度> 更新日期: 添加错误的配置文件。 它来自客户端而不是网络服务。 现在添加了正确的文件 。