ASP.NET中Web Service的安全流程

1. The SOAP request is received from the network. This may or may not contain authentication credentials depending upon the type of authentication being used.
2. IIS optionally authenticates the caller by using Basic, Digest, Integrated (NTLM or Kerberos), or Certificate authentication. In heterogeneous environments where IIS (Windows) authentication is not possible, IIS is configured for anonymous authentication. In this scenario, the client may be authenticated by using message-level attributes such as tickets passed in the SOAP header.
3. IIS can also be configured to accept requests only from client computers with specific IP addresses.
4. IIS passes the authenticated caller's Windows access token to ASP.NET (this may be the anonymous Internet user's access token, if the Web service is configured for anonymous authentication).
5. ASP.NET authenticates the caller. If ASP.NET is configured for Windows authentication, no additional authentication occurs at this point; IIS authenticates the caller.

   If a non-Windows authentication method is being used, the ASP.NET authentication mode is set to None to allow custom authentication.

6. ASP.NET authorizes access to the requested Web service (.asmx file) by using URL authorization and File authorization, which uses NTFS permissions associated with the .asmx file to determine whether or not access should be granted to the authenticated caller.

   Note   File authorization is only supported for Windows authentication.

   For fine-grained authorization, .NET roles can also be used (either declaratively or programmatically) to ensure that the caller is authorized to access the requested Web method.

7. Code within the Web service may access local and/or remote resources by using a particular identity. By default, ASP.NET Web services perform no impersonation and, as a result, the configured ASP.NET process account provides the identity. Alternate options include the original caller's identity, or a configured service identity.

The gatekeepers within an ASP.NET Web service are:

• IIS
  • If IIS anonymous authentication is disabled IIS only allows requests from authenticated users.
  • IP Address Restrictions

    IIS can be configured to only allow requests from computers with specific IP addresses.

• ASP.NET
  • The File authorization HTTP Module (for Windows authentication only)
  • The URL authorization HTTP Module
• Principal Permission Demands and Explicit Role Checks

出处:

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

http://msdn.microsoft.com/en-us/library/aa302390.aspx