|
| Web Services Authentication and Authorization |
 |
Mon, 31 Mar 2008 07:12:41 +000 |
Hi,
I have a question regarding authorization in Web Services (C# .NET).
I have a WebService Customer with a few methods (AddCustomer, DeleteCustomer,
ModifyCustomer, MoveCustomer). These web services are in turn called by the
client applications.
Only users in the Administrative role can Add and Delete a customer.
Only users in the Memebers role can Modify a customer.
My question is how do I implement authentication and authorization in these web
service methods. Do I have to authenticate everytime a call is amde to a web
service? and then authorize? or is there a way in which I can first get the user
authenticated and then pass something like a ticket around?
Thanks
Arjuna.
|
| Post Reply
|
| Re: Web Services Authentication and Authorization |
 |
Mon, 31 Mar 2008 13:44:04 +000 |
ASP.NET Web services use the same base technology as ASP.NET Web applications,
so the Windows authentication mechanism is available, too. You cannot use Forms
authentication because it is not possible to present a user interface for the
client application.
Whereas XML Web services are platform independent, this cannot be said for
Windows authentication. For platform-independent authentication, you can use a
SOAP header, either creating this yourself, or by using Web Services Enhancement
(WSE)public AuthenticationInfo authInfo;
[WebMethod][return: XmlArray("Courses")]
[return:
XmlArrayItem("Course")][SoapHeader("authInfo")]public
Course[] GetCourses()
{
//... read user information in authInfoif (!User.Identity.IsAuthenticated)
{
XmlQualifiedName name = newXmlQualifiedName("AuthenticationError");
SoapException ex = new SoapException("Request denied", name);throw
ex;
}
//...
}
<soap:Envelopexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:soap="http://sc
hemas.xml-
soap.org/soap/envelope/"><soap:Header>
<AuthenticationInfoxmlns="http://christiannagel.com/Demos/CourseServices
/2004">
<Username>string</Username><Password>string</Password>
</AuthenticationInfo></soap:Header>
<soap:Body>
<GetCoursesxmlns="http://christiannagel.com/Demos/CourseServices/2004&qu
ot; />
</soap:Body></soap:Envelope>
Source:
http://www.ubookcase.com/book/Addison.Wesley/Enterprise.Services.with.the.dot.NE
T.Framework/032124673x/ch12lev1sec1.html
Good Luck
|
| Post Reply
|
| Re: Web Services Authentication and Authorization |
 |
Tue, 1 Apr 2008 06:21:27 +0000 |
Hi Skynyrd,
Thanks for your reply, so what you say is that if I am not using Windows
Authentication then I have to always pass the username and password in the
header and authenticate and then authorize?
Thanks
Arjuna.
|
| Post Reply
|
| Re: Web Services Authentication and Authorization |
 |
Tue, 1 Apr 2008 12:25:34 +0000 |
skynyrd:You cannot use Forms authentication because it is not possible to
present a user interface for the client application.
Actually this is not true. But you do need to be able to have the client handle
a token for subsequent requests.
Assuming you use a cookie for the token, you can:
Have a "login" method that supplies username and password (this
should, of course, be over SSL). The implementation uses
System.Web.Security.Membership.ValidateUser to check. And then calls
System.Web.Security.FormsAuthentication.SetAuthCookie to create the cookie.
The client captures the cookie, and uses it in further calls.
In subsequent calls, the user identity (including roles) will be populated.
(Obviously this assumes hosting as a .asmx under IIS/dev server. Self hosting
WCF would be different.)
|
| Post Reply
|
| Re: Web Services Authentication and Authorization |
 |
Tue, 1 Apr 2008 12:42:05 +0000 |
I think the best way to incorporate Authentication and Authorization in ASMX web
services is to use WSE 3.0. Check out the Webcasts/Videos section of WSE at
http://msdn2.microsoft.com/en-us/webservices/aa740663.aspx and you might find it
useful.
|
| Post Reply
|
|
|
|
|
|
|
|
|
|