I need help with web service security. Service requests arrive via HTTP-POST. I'm using IP / Domain restriction to control access to the web service. The security of incoming requests needs to be handled with HTTP-Auth. Does anyone know how to use HTTP-Auth?
In case it's relevant, my website uses Forms Authentication. Windows Authentication doesn't apply in my case.
I don't think this will work. If you want to secure the web service, you should use Windows Authentication. Bruce DiscountASP.NET www.DiscountASP.NET
Hi Bruce, Based on my research last night, mine is not a situation that comes up every day, so the programming is considered a bit advanced; but, I anticipate success. Looks like I need an HTTP Module to intercept the application's Authenticate event. Here's some pseudo-code: Credentials are submitted via the HTTP object. The HTTP module extracts the creds, checks them for validity, and returns true/false. On False, the request can be denied. On True, the request can be extracted and processed. Either way, the appropriate response message is then returned by the HTTP Response object. By the way, when this approach is used, Forms and Windows Authentication are irrelevant. I saw an example of web.config that looked like this: <authentication mode='None' /> ===Begin Caveat=== Other readers, please be clear: <authentication mode='None' /> is for special circumstances only. I mention it only as an example of how far you can go with custom authentication approaches. I still considering my options. My web application is setup with <authentication mode='Forms'>. That's because normal users (non-web service interactions) will still interact with the app in the usual way, regardless of the security configuration of my web service. ===End Caveat=== Anyway, I also may need an HTTP Handler to intercept processing of the specific page (e.g., webservice.asmx) since I only want this special authentication used for web service requests. I'm still working on the coding specifics; the Web has many resources explaining HTTP modules and handlers from different perspectives. I need to assimilate them. ~ Timing is EVERYTHING!
James, your response helps. In fact, you and Bruce (and time thinking about this) have turned my head in a different direction. Thanks guys. ~ Timing is EVERYTHING!
Hi Geosync, Not sure if I can help, but are youusing a standard Windows Forms with the usual .Net Login Control If this is the case, can you not limit the web service functionality usingUser.Identity.IsAuthenticatedand User.IsInRole(RoleName), as well as Request.UserHostAddress. Or you could limit the Login process by handling the Login_LoggingIn event, perform your IP checks against Request.UserHostAddress, and then set e.Cancel to true to prevent the login. Not sure if that helps. As for actually modifying the response code for a web service request. As Bruce said good luck. James
