i have built website with asp.net webservice where the user can register and login and make ads but the main issue that the webservice is not secured cause i can call it and pass parameters to it in the basic console of the google chrome i can execute webmethod and add user with any role i like without any credentials the code is
$.ajax(
{
dataType: "json",
type: "POST",
contentType: "application/json; charset=utf-8",
url: '/anywebservice.asmx/AddUser',
data: JSON.stringify({
FullName: $('#txtFullName').val(),
BirthDate: "1/1/1900",
GenderId: $("input:radio[name='rblGender']:checked").val(),
CountryId: $("#ddlCountries").val(),
Email: $('#txtEmail').val(),
Mobile: $('#txtMobile').val(),
RoleName: "Users",
LoginName: $('#txtUserName').val(),
Password: $('#txtPassword').val(),
IsApproved: "true"
}),
beforeSend: function () {
//$('.tableContent').block({ message: null });
//$('.tableContent').spin(opts);
},
complete: function () {
//$('.tableContent').unblock();
//$('.tableContent').spin(false);
},
success: function (data) {
if (data.d < 0) {
CustomAlert(data.d);
}
else {
CustomAlert(window.lang.translate("You have sucssesfully registered"));
}
}
});
of course i know that i can create separated webmethod that does not take role name as parameter but this method is just example i have many methods that i am using for the clients but i need them to be secured not like this or i should separate the admin webservice from the client webservice and if so how can i secure both
