Avatar of millweb
millweb
 asked on

Web Services - Client Authentication - C#

Hello,

I have used .NET  Web Services in the past to provide an easy way to access data between applications.  In the past, the data being retrieved was never confidential in nature.

I now wish to create Web Service methods for valid, authenticated users of our subscription service.  These users have a username, password, and firm ID.  I need to accomplish one of the following:

1)  Create a Web Service that requires being supplied a username, password and firm id as parameters of every single web method.  As soon as the method is called, an authentication check will be performed, and the results will be returned only if the user passes authentication.  Additionally, results will only be returned if they are relevant to the "firm id" that is passed.

or

2)  Implement a system where users must authenticate into the web service using their username, password and firm id in a separate method.  If they pass authentication, they will be able to make subsequent method calls and have results returned.  If not, they will be denied access.

What is the best way to accomplish this?

----------------------------

How is the following example?  Does this pose a risk?  Is there a better way to proceed?

With the given example, I'm assuming each page will have to reauthetnciate, since _isAuthenticated will be false after the page lifecycle expires?


 public class Service1 : System.Web.Services.WebService
    {
        private bool _isAuthenticated = false;
        private int _firmID = 0;

        [WebMethod]
        public bool Authenticate(string user, string pass, int firmID)
        {
            // if passes authentication
            _isAuthenticated = true;
            _firmID = firmID;
            return true;

            // if fails authentication
            _isAuthenticated = false;
            return false;
        }

        [WebMethod]
        public string AuthenticatedMethod()
        {
            // method only for authenticated users
            if (!_isAuthenticated)
                return "";

            // authetnciated, retrieve results for given firmID
            string x = "Firm ID Specific Result - " + _firmID.ToString();
            return x;
        }
}



Suggestions appreciated.
Project ManagementWCFWeb Development

Avatar of undefined
Last Comment
millweb

8/22/2022 - Mon
Aaron Jabamani

I think of two custom ways

1. Let every call submit the authentication through the header. i.e before executing the method, retrieve the details from the header and validate. if the validation is success then return the result else return an error

2. In case if the user is going to use a series of calls to you web service, use token system. When they create a web service proxy they should pass the credentials as parameter and in return they get a token. Then this token i passed in the subsequent calls as the first parameter .
Grant Spiteri

An alternative option would be to supply the client (who will consume the service) a ssl cert and for each client create a user on the domain in a certain group (ie: group Firm) setting up transport security and windows clientCredentialType with WCF Services,  the app pool identity should be set to the group that u have added the clients too on the wcf service this way you will be ensuring the security of the data from the client to the server by encrypting the pipe with ssl and for extra measure using windows authentication for extra security.
ASKER CERTIFIED SOLUTION
Ted Bouskill

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
millweb

ASKER
Thank you
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes