我建立的一个使用jQuery和JSON消耗一个ASP.NET的.asmx Web服务执行CRUD操作的应用程序。应用程序和的.asmx在同一个域。我不介意人们消耗的.asmx远程的读操作,但不希望别人随意删除的东西!
I've built an application that uses jQuery and JSON to consume an ASP.NET .asmx web service to perform crud operations. The application and .asmx are on the same domain. I dont mind people consuming the read operations of the .asmx remotely but dont want people randomly deleting stuff!!!
我可以拆分我想成为公开访问的方法和隐藏的人分为2 Web服务。怎样才能锁定到hidden'.asmx Web服务同一个域,其在主持的呼叫?
I can split the methods i'd like to be publicly accessible and the 'hidden' ones into 2 web services. How can I lock calls to the 'hidden'.asmx web service to the same domain that its hosted in?
先谢谢了。
编辑:有人对此有何评论,似乎是合理(来源:的http:/ /www.slideshare/simon/web-security-horror-stories-$p$psentation ):阿贾克斯可以设置HTTP头,范式不能。Ajax请求必须来自同一个域。
Can someone comment on this, seems plausible ( source: www.slideshare/simon/web-security-horror-stories-presentation ): Ajax can set Http headers, normal forms cant. Ajax requests must be from the same domain.
所以,X-要求,以XMLHtt prequest请求必须是同一个域。
So "x-requested-with" "XMLHttpRequest" requests must be from the same domain.
推荐答案有两种情况需要使用Web服务,以确保:
There are two scenarios you need to secure with web services:
认证件已经照顾,如果你正在使用的窗体身份验证。如果你的Web服务坐落在一个网站的表单验证保护区,任何人都无法访问您的Web服务,除非他们已经登录。
The authentication piece is already taken care of if you're using Forms Authentication. If your web service sits in a Forms Authentication-protected area of the site, nobody will be able to access your web services unless they're logged in.
第二种情况是一个稍微麻烦故事。这种攻击被称为CSRF或XSRF(跨站请求伪造)。这意味着恶意网站代表您的用户执行操作,而他们仍然登录到您的网站。 这里有XSRF 一个伟大的书面记录。
The second scenario is a slightly trickier story. The attack is known as CSRF or XSRF (Cross Site Request Forgery). This means that a malicious website performs actions on behalf of your user while they're still logged in to your site. Here's a great writeup on XSRF.
杰夫阿特伍德排序总结这一切在上面的链接,但这里是分四步XSRF保护:
Jeff Atwood sort of sums it all up in the link above, but here is XSRF protection in four steps:
更多推荐
块跨域调用ASP.NET的.asmx Web服务
发布评论