Link to home
Start Free TrialLog in
Avatar of millweb
millweb

asked on

Web Services - Client Authentication - C#

Hello,

I have used .NET  Web Services in the past to provide an easy way to access data between applications.  In the past, the data being retrieved was never confidential in nature.

I now wish to create Web Service methods for valid, authenticated users of our subscription service.  These users have a username, password, and firm ID.  I need to accomplish one of the following:

1)  Create a Web Service that requires being supplied a username, password and firm id as parameters of every single web method.  As soon as the method is called, an authentication check will be performed, and the results will be returned only if the user passes authentication.  Additionally, results will only be returned if they are relevant to the "firm id" that is passed.

or

2)  Implement a system where users must authenticate into the web service using their username, password and firm id in a separate method.  If they pass authentication, they will be able to make subsequent method calls and have results returned.  If not, they will be denied access.

What is the best way to accomplish this?

----------------------------

How is the following example?  Does this pose a risk?  Is there a better way to proceed?

With the given example, I'm assuming each page will have to reauthetnciate, since _isAuthenticated will be false after the page lifecycle expires?


 public class Service1 : System.Web.Services.WebService
    {
        private bool _isAuthenticated = false;
        private int _firmID = 0;

        [WebMethod]
        public bool Authenticate(string user, string pass, int firmID)
        {
            // if passes authentication
            _isAuthenticated = true;
            _firmID = firmID;
            return true;

            // if fails authentication
            _isAuthenticated = false;
            return false;
        }

        [WebMethod]
        public string AuthenticatedMethod()
        {
            // method only for authenticated users
            if (!_isAuthenticated)
                return "";

            // authetnciated, retrieve results for given firmID
            string x = "Firm ID Specific Result - " + _firmID.ToString();
            return x;
        }
}



Suggestions appreciated.
Avatar of Aaron Jabamani
Aaron Jabamani
Flag of United Kingdom of Great Britain and Northern Ireland image

I think of two custom ways

1. Let every call submit the authentication through the header. i.e before executing the method, retrieve the details from the header and validate. if the validation is success then return the result else return an error

2. In case if the user is going to use a series of calls to you web service, use token system. When they create a web service proxy they should pass the credentials as parameter and in return they get a token. Then this token i passed in the subsequent calls as the first parameter .
An alternative option would be to supply the client (who will consume the service) a ssl cert and for each client create a user on the domain in a certain group (ie: group Firm) setting up transport security and windows clientCredentialType with WCF Services,  the app pool identity should be set to the group that u have added the clients too on the wcf service this way you will be ensuring the security of the data from the client to the server by encrypting the pipe with ssl and for extra measure using windows authentication for extra security.
ASKER CERTIFIED SOLUTION
Avatar of Ted Bouskill
Ted Bouskill
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of millweb
millweb

ASKER

Thank you