开发者

AJAX, WCF, and Authentication woes

I'm working on a site which is not publicity accessible. That is, it's on the internet, but you must login to access the site, you can't register or anything, it provides a service for a particular industry.

We are moving some of our functionality to a mobile site, a real cut down version targeted specifically to day-to-day requirements, that suit the screen size witho开发者_开发技巧ut having to zoom and scroll etc.

This is all fine.

The site is rather chatty in some area's, and rather than doing ASP.NET Post Backs, we will be doing a lot of AJAX with jQuery, what we would like to do is off-load some of the tasks to other servers and provide WCF services for getting/putting data.

My question is, what is the best way of locking down these WCF services so that they cannot be accessed out-side of the initial website, and you have to be logged in to touch them.

My thoughts were to have a handler which is what we would touch from the website, and the handler would make a call to the WCF service which would only be exposed to our internal servers. This means the WCF service wouldn't need to be publicly exposed, but the handler would be under our existing domain and existing forms authentication.

If that makes sense.

Is this a good approach or should I go down the route of using time-stamps and tokens to authenticate the requests to publicly exposed WCF services.

Edit: WCF, RESTful Web Services and custom authentication

^this is the closest thing I could find to what I need to do, but wanted to know if there's a better solution for something that isn't, and never will be public facing.


Using HTTP module, you can add a custom authentication to a IIS-hosted WCF service. You can then implement OAuth 2 Bearer token protection passed via HTTP header or query parameter. It's essentially passing time-limited password along, so you need to do this over https, but it can easily be consumed by jQuery or anything that can use https. The module can set the Principal info on the current thread, which you can access from WCF.

For the rest of OAuth 2, see Facebook's Authentication.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜