现实世界中的 Web 服务调用和代理身份验证

问题描述:

我们正在开发一个应用程序,该应用程序由托管网络服务(以及其他内容)的网络服务器和将与该网络服务进行通信的客户端组成.客户端应用程序和服务器都应在公司防火墙内使用.此应用程序将打包并部署到世界各地的组织,因此它需要足够灵活以在多种类型的环境中工作.

We are developing an app that consists of a web server that hosts a web service (amongst other things) and a client that will be communicating with that web service. Both the client app and the server are expected to be used within a corporate firewall. This application will be packaged up and deployed to organizations across the world—so it needs to be flexible enough to work in multiple types of environments.

我的问题围绕着 Web 服务身份验证以及适用于现实世界场景的内容展开.我知道有些公司有需要单独身份验证的代理服务器.跨组织的要求多久一次?代理服务器何时强制用户进行身份验证(您可以在不进行身份验证的情况下访问内部站点吗......是否仅对外部站点进行身份验证)?

My question revolves around web service authentication and what is appropriate for real world scenarios. I know some companies have proxy servers that require a separate authentication. How often is this a requirement across organizations? When does the proxy server force the user to authenticate (can you access internal sites without authenticating.. is the authentication for only external sites)?

我问这些问题的原因是,我不确定我们应该在我们的客户端应用程序中构建什么样的功能来对 Web 服务进行身份验证.默认情况下,我们获取当前用户凭据并将其传递给服务器.你觉得这就够了吗?在公司需要某种形式的内部访问替代身份验证的情况下,这将不起作用.我的问题围绕着最后一个案例——它多久发生一次?为什么公司会强制使用替代凭据进行内部访问?

Reason I ask these questions, is I’m not sure what kind of capability we should build into our client application for authentication to the web service. By default, we are taking the current user credentials and passing that up to the server. Do you think this is sufficient? In a case where a company will require some form of alternate authentication for internal access, this will not work. My question revolves around this last case—how often does it happen? Why would a company force alternate credentials for internal access?

谢谢!

为什么不让它可配置?此外,使用 WCF,您可以配置您可能需要的任何内容,在大多数情况下无需更改代码.

Why not make it configurable? Further, use WCF and you have the ability to configure just about anything you might need, in most cases without changing your code.