如何保证 Web Service 的安全 1

• 通过 SoapHeader 来增强 Web Service 的安全性

通过SoapHeader我们可以让具有指定用户口令的用户来访问我们的Web服务接口。

1．Web Service实现步骤
（1）定义自己的SoapHeader派生类。

///<summary> 
///定义自己的SoapHeader派生类
///</summary> 
public class MySoapHeader : System.Web.Services.Protocols.SoapHeader 
{ 
    private string _UserID = string.Empty; 
    private string _PassWord = string.Empty; 
    ///<summary> 
    ///构造函数
    ///</summary> 
    public MySoapHeader() 
    { 
    } 
    ///<summary> 
    ///构造函数
    ///</summary> 
    ///<param name="nUserID">用户ID</param> 
    ///<param name="nPassWord">加密后的密码</param> 
    public MySoapHeader(string nUserID, string nPassWord) 
    { 
        Initial(nUserID, nPassWord); 
    } 
    #region 属性
    ///<summary> 
    ///用户名
    ///</summary> 
    public string UserID 
    { 
        get { return _UserID; } 
        set { _UserID = value; } 
    } 
    ///<summary> 
    ///加密后的密码
    ///</summary> 
    public string PassWord 
    { 
        get { return _PassWord; } 
        set { _PassWord = value; } 
    } 
    #endregion 
    #region 方法
    ///<summary> 
    ///初始化
    ///</summary> 
    ///<param name="nUserID">用户ID</param> 
    ///<param name="nPassWord">加密后的密码</param> 
    private void Initial(string nUserID, string nPassWord) 
    { 
        UserID = nUserID; 
        PassWord = nPassWord; 
    } 
    ///<summary> 
    ///验证用户名密码是否正确
    ///</summary> 
    ///<param name="nUserID">用户ID</param> 
    ///<param name="nPassWord">加密后的密码</param> 
    ///<param name="nMsg">返回的错误信息</param> 
    ///<returns>用户名密码是否正确</returns> 
    private bool IsValid(string nUserID, string nPassWord, out string nMsg) 
    { 
        nMsg = ""; 
        try 
        { 
            //判断用户名密码是否正确
            if (nUserID == "admin" && nPassWord == "admin") 
            { 
                return true; 
            } 
            else 
            { 
                nMsg = "对不起，你无权调用此Web服务。"; 
                return false; 
            } 
        } 
        catch 
        { 
            nMsg = "对不起，你无权调用此Web服务。"; 
            return false; 
        } 
    } 
    ///<summary> 
    ///验证用户名密码是否正确
    ///</summary> 
    ///<returns>用户名密码是否正确</returns> 
    public bool IsValid(out string nMsg) 
    { 
        return IsValid(_UserID, _PassWord, out nMsg); 
    } 
    #endregion 
}

（2）添加基于SoapHeader验证的Web Service接口方法：

///<summary> 
///通过SoapHeader来增强Web Service的安全性
///</summary> 
[WebService(Namespace = "http://tempuri.org/")] 
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] 
[ToolboxItem(false)] 
public class WebService_Soap : System.Web.Services.WebService 
{ 
    //声明Soap头实例
    public MySoapHeader myHeader = new MySoapHeader(); 
    //普通方法，不需要SoapHeader验证
    [WebMethod(Description = "根据产品编号查询产品的价格")]
    public string GetProductPrice(string ProductId) 
    { 
        Products pro = new Products(); 
        return pro.GetPrice(ProductId); 
    } 
    //需要SoapHeader验证
    [SoapHeader("myHeader")] 
    [WebMethod(Description="根据产品编号查询产品的价格", EnableSession = true)] 
    public string GetProductPrice2(string ProductId) 
    { 
        string msg = ""; 
        //验证是否有权访问
        if (!myHeader.IsValid(out msg)) 
        { 
            return msg;//返回错误信息
        } 
        Products pro = new Products(); 
        return pro.GetPrice(ProductId); 
    } 
}

2．客户端调用具有SoapHeader的Web Service

//创建myService对象
ProductServiceSoap.WebService_Soap service = 
new ProductServiceSoap.WebService_Soap(); 
//创建soap头对象
ProductServiceSoap.MySoapHeader header=new ProductServiceSoap.MySoapHeader(); 
//设置soap头变量
header.PassWord = "admin"; 
header.UserID = "admin"; 
service.MySoapHeaderValue = header; 
//调用web 方法
string strPrice = service.GetProductPrice2("001");

通过SoapHeader对用户口令进行验证，只有授权的用户才可以使用该接口。确保了访问接口用户的安全性。