I have forms authentication setup and browser users use credentials. However, my web service is under the same app space, but no credentials are required to access the service. What do I need to do to force web service authentication?
Hi, Do you mean, for example, that if a new user to the site tries to access a folder you'd like to kick them back to the login? Salute, Mark Technical Evangelist for DiscountASP.NET http://www.iis7test.com/webcasts/ http://weblogs.asp.net/markwisecarver/ http://blogs.windowsclient.net/wisecarver/default.aspx (Microsoft IT Usability http://msitusability.multiply.com/)
No. I have user authentication and authorization setup ok. My folder restrictions are setup ok, too. My question is about web service access. Users access the website via browser. Programs access the website via the web service. I need to restrict access to the web service. I need programs to provide credentials before the web service will accept a request. ~ Timing is EVERYTHING!
Several ways to do that 1) Put your web services into another application and use permission manager to restrict anonymous access. On the consuming end, you'll have to submit the proper credential though. 2) Disable HTTP Post & Get for web service. This way, when user browse to your asmx file, they will not be able to execute it. This is not the most secure method though. 3) Add another field to your web service method, like password. Require the consuming application to submit a password and then check the validity of the password in all your methods. Bruce DiscountASP.NET www.DiscountASP.NET
Thanks, Bruce! Can #1 & #2 be implemented together? I'm not sure how to do these things. Could you give me some tips? My fall-back strategy is #3. But, I want to avoid programming it, and use IIS if possible.
>> Can #1 & #2 be implemented together? Yes. #1. simply move your web services application to another directory and use the permission manager to disable anon access #2. Goto the web.config of the webservice application. - Find the <protocols> section and put the following in <webServices> <protocols> <remove name='HttpPost' /> <remove name='HttpGet' /> <remove name='HttpPostLocalhost' /> </protocols> </webServices> Bruce DiscountASP.NET www.DiscountASP.NET
Hi Bruce, What is the equivalent IIS 6 implementationofStep #1? Thank you, Rick ~ Timing is EVERYTHING!
Bruce, I've got this implemented. But I'm wondering about something... Is the password in clear text over the web? If so, can the client's parameters be encrypted via SSL? Thank you, Rick ~ Timing is EVERYTHING!
