Calling web service method using jquery / Javascript

I referenced a asp,net web service in my project. I want to call the method of that web service through the jQuery ajax method which will be in separate .Js file. I am also concern about the security implementation and best practice when using such way to call a web service method.

Thanks
Rohit SharmaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaikh MubeenSenior Software, Web & Mobile Apps DeveloperCommented:
There is no such thing as the best way and the answer is always it depends, though it is very unhelpful. You can use forms authentication for example. If you web application using the web service and the web service are part of the same ASP.NET application, the browser can seamlessly send the forms authentication ticket (cookie) for every call to the web service.

In the config file, you can have

<authorization>
        <deny users="?" />
</authorization>

Open in new window

This will deny access to anonymous users and that will cover the web services as well. In other words, unless a user logs in and gets a valid cookie with the ticket, service cannot be used. Of course, you must HTTPS. Otherwise, any one in the middle can get the cookie in the headers and call your service.

Finally, it is not possible to ensure no one call the web service outside of your application in an absolute sense. The above approach ensures none in the middle calls your service. But there is no way to ensure a valid user calls the service directly outside of your application because the web service caller is JavaScript and whatever security you build in JavaScript can be easily figured out by a user by looking at the script or even looking at the traffic from and to the browser. Any end user who is a bit technical, will be able to replay the requests or modify the requests and submit to your web service using valid credentials.

Here are the more details you are looking for to enable FormsAuthentication.

(1) In Web.config, under <system.web>, make sure you have this.
<authentication mode="Forms">
     <forms loginUrl="Login.aspx" defaultUrl="~/" />
</authentication>
<authorization>
     <deny users="?" />
</authorization>

Open in new window

This will ensure all non-authenticated (anonymous) users are redirected to Login.aspx.

(2) Implement Login.aspx with your login logic to get the user Id and password and validate them against a database or whatever. Once authentication is successful, that is, the user entered ID and password matches what you have in the database, may be in the login button click handler, set the ticket.
protected void Button1_Click(object sender, EventArgs e)
{
    // Do all your login logic here
    // once user ID and password entered by the user are okay, call this

    string ticket = FormsAuthentication.Encrypt(
                        new FormsAuthenticationTicket("userId", false, 15));
    HttpCookie FormsCookie = new HttpCookie(
               FormsAuthentication.FormsCookieName, ticket) { HttpOnly = true };
    HttpContext.Current.Response.Cookies.Add(FormsCookie);
}

Open in new window


(3) Add PrincipalPermissionAttribute to the web method like this.
public class Users : System.Web.Services.WebService
{
    [PrincipalPermissionAttribute(SecurityAction.Demand)]
    [WebMethod]
    public List<User> GetUsers()
    {
        // Same code as what you have now
    }
}

Open in new window


If you now go to any page, you will be redirected to login.aspx where you will need to enter user ID and password and login. On login, the forms authentication cookie will be created and written to the response. From that point onwards, all the requests to your application will bring in the cookie (browser will do that for you). Without logging in, if you go to the web service directly, you will still be redirected to the login page. As I mentioned in my original answer, a logged in user however will still be able to access the web service directly. If JavaScript can do something, a user can do the same.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.