none
AJAX WCF 白名单 RRS feed

  • 问题

  • WCF 开启 ajax,发布后可以正常访问,现在只允许 www.aaa.com 的网站访问,禁止 其他的域名访问。要怎么设置?

    修改配置文件 crossDomainScriptAccessEnabled="false" ,要如何添加 www.aaa.com?

    2018年2月9日 1:48

答案

  • Hi fss199,

    >> www.aaa.com的网站,还是无法请求 wcf 的程序

    无法请求是接收到跨域的错误信息了么?

    如果在“Application_BeginRequest”这一行打一个断点,在客户端请求这个服务时,断点会被击中么?

    我建议你设置crossDomainScriptAccessEnabledtrue,这时www.aaa.com的网站nengfou 访问WCF?如果可以,我建议你用下面的代码限制其他域名访问WCF.

    public class Global : System.Web.Services.WebService
        {
            protected void Application_BeginRequest(object sender, EventArgs e)        
            {
                var allowedOrigins = new[] { "http://www.aaa.com" }; //limit the domains
                var request = HttpContext.Current.Request;
                var response = HttpContext.Current.Response;
                var origin = request.Headers["Origin"];
    
                if (!(origin != null && allowedOrigins.Any(x => x == origin)))
                {
                    response.End();
                }
            }
        }

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • 已标记为答案 fss199 2018年2月24日 13:20
    2018年2月12日 5:51
    版主

全部回复

  • 客户端的请求IP总是多变的,能不能限制网站的域名?
    2018年2月9日 1:57
  • Hi fss,

    在检查配置文件web.config之后,应该是没有办法在web.config设置只允许特定的domain访问 的。

    我建议尝试用Global.asax 去实现CORS或者限制特定的domain,你可以参考下面的代码。

    protected void Application_BeginRequest(object sender, EventArgs e) {
    	var allowedOrigins = new [] { "http://foo.example", "http://bar.example" }; //limit the domains
    	var request = HttpContext.Current.Request;
    	var response = HttpContext.Current.Response;
    	var origin = request.Headers["Origin"];
    
    	if (origin != null &&allowedOrigins.Any(x => x == origin)) {
    		response.AddHeader("Access-Control-Allow-Origin", origin);
    		response.AddHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
    		response.AddHeader("Access-Control-Allow-Headers", "Content-Type, X-Requested-With");
    		response.AddHeader("Access-Control-Allow-Credentials", "true");
    		if (request.HttpMethod == "OPTIONS") {
    			response.End();
    		}
    	}
    }

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    2018年2月9日 2:39
    版主
  • 谢谢您忙里抽空的指导,在 ajax wcf的项目中,添加Global.asax,修改文件,保存发布后,不起作用,不知道还需要哪里设置?
    2018年2月9日 3:41
  • 你的不起作用是指什么?是请求报关于CORS的错误,还是任意的Domain都可以访问WCF Service?

    你的web.config和Global.asax是怎么设置的?


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    2018年2月9日 5:06
    版主
  • web 配置文件:

      <system.serviceModel>
        <bindings>
          <webHttpBinding>
            <binding name="AjaxBindings1" crossDomainScriptAccessEnabled="false" />
          </webHttpBinding>
        </bindings> 
     ......
      </system.serviceModel>

    Global.asmx.cs 文件如下:

        [WebService(Namespace = "http://tempuri.org/")]
        [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
        [System.ComponentModel.ToolboxItem(false)]
        [System.Web.Script.Services.ScriptService]
        public class Global : System.Web.Services.WebService
        {
            protected void Application_BeginRequest(object sender, EventArgs e)
            //protected void Application_Start(object sender,EventArgs e)
            {
                var allowedOrigins = new[] { "http://www.aaa.com“ }; //limit the domains
                var request = HttpContext.Current.Request;
                var response = HttpContext.Current.Response;
                var origin = request.Headers["Origin"];
    
                if (origin != null && allowedOrigins.Any(x => x == origin))
                {
                    response.AddHeader("Access-Control-Allow-Origin", origin);
                    response.AddHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
                    response.AddHeader("Access-Control-Allow-Headers", "Content-Type, X-Requested-With");
                    response.AddHeader("Access-Control-Allow-Credentials", "true");
                    if (request.HttpMethod == "OPTIONS")
                    {
                        response.End();
                    }
                }
            }
        }
    这样,www.aaa.com的网站,还是无法请求 wcf 的程序


    • 已编辑 fss199 2018年2月9日 9:36
    2018年2月9日 9:34
  • Hi fss199,

    >> www.aaa.com的网站,还是无法请求 wcf 的程序

    无法请求是接收到跨域的错误信息了么?

    如果在“Application_BeginRequest”这一行打一个断点,在客户端请求这个服务时,断点会被击中么?

    我建议你设置crossDomainScriptAccessEnabledtrue,这时www.aaa.com的网站nengfou 访问WCF?如果可以,我建议你用下面的代码限制其他域名访问WCF.

    public class Global : System.Web.Services.WebService
        {
            protected void Application_BeginRequest(object sender, EventArgs e)        
            {
                var allowedOrigins = new[] { "http://www.aaa.com" }; //limit the domains
                var request = HttpContext.Current.Request;
                var response = HttpContext.Current.Response;
                var origin = request.Headers["Origin"];
    
                if (!(origin != null && allowedOrigins.Any(x => x == origin)))
                {
                    response.End();
                }
            }
        }

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • 已标记为答案 fss199 2018年2月24日 13:20
    2018年2月12日 5:51
    版主
  • 谢谢您!新年好!

    在 ajax wcf 的代码中,所有的函数,设置断点,都无法击中。

    2018年2月21日 0:43
  • 在你之前的描述中,设置crossDomainScriptAccessEnabled为true是可以访问WCF 服务的,只是没有实现限制可以访问的domain.其他做了什么修改的?不然应该不会导致Application_BeginRequest没有被执行。

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    2018年2月22日 3:56
    版主
  • 就是在 wcf 服务,添加了Application_BeginRequest 这个函数,还是一样,任意域名都可以访问服务,网站不是http://www.aaa.com,也可以访问。

    在  global 的文件中,添加了这些属性,有没有关系?在 Web.config 文件中,还需要设置吗?

        [WebService(Namespace = "http://tempuri.org/")]
        [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
        [System.ComponentModel.ToolboxItem(false)]
        [System.Web.Script.Services.ScriptService]
        public class Global : System.Web.Services.WebService


    • 已编辑 fss199 2018年2月23日 0:45
    2018年2月23日 0:36
  • 你是如何添加Global.asmx文件的?在Application_BeginRequest这一行打断点检查是否被执行到了?

    调试上面的代码看对于不是www.aaa.com的地址是否执行到response.End();


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    2018年2月23日 1:47
    版主
  • 感谢您的指导!文件的扩展名搞错了。现在断点可以击中该函数了。

                var response = HttpContext.Current.Response;
                var origin = request.Headers["Origin"];

    为什么这个 origin 总是 null,取不到数据?


    2018年2月23日 15:21
  • How did you send the request to service?

    The "Origin" will have value onle when the request is cross-domain. If you create a new web app, and send ajax request from this new app to the service, I think it will contains the value.



    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    2018年2月24日 2:51
    版主
  • ajax wcf 发布到 IIS务器,发出请求的网站也发布到另一个 IIS服务器,也就是两个应用程序,在不同的服务器上,这样请求,HttpContext.Current.Request.Headers["Origin"] 都是空的
    2018年2月24日 3:00
  • 你是怎么发请求到WCF 服务的?

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    2018年2月24日 3:02
    版主
  •             $.getJSON(wcfUri + "/GetData" + urlParameterName,
                    function (data) {
                        alert(data);
                    });

    2018年2月24日 3:10
  • I fail to reproduce your issue, you may consider creating two simple project which could reproduce your issue, and then share us through OneDrive or Github.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    2018年2月24日 3:14
    版主