1

I am using ASP.NET with an asmx service for data access towards my SQL database.

The servie is called both Client and backend.

The site is going to be used both our internal staff and for our customers.

There is some methods in the asmx service that I would like to to disable access to if they are not authenticated. I really do not want to write a lot of duplicate code in the every method to check for this.

is there any generic way or better? Thanks.

user3514987
  • 210
  • 3
  • 9
  • 4
    Are you sure you want to use ASMX? That feature [isn't supported](https://johnwsaunders3.wordpress.com/2011/12/07/more-reasons-to-not-use-asmx-services-in-new-code/) by MS anymore. Writing a generic handler (.ashx) is a good workaround, or if you're on .NET 4.5 then you can use ASP.NET [Web API](http://www.asp.net/web-api). If you use Web API, you can then use filter attributes to apply authorization rules to your API endpoints. You can also use [WCF](https://msdn.microsoft.com/en-us/library/ms731082(v=vs.110).aspx), especially if you need SOAP. – mason Aug 03 '15 at 14:04
  • Hi, Okay so asmx is outdated? Could you send me some information on Web API? That would be great. I like a solution that i can add attributes on the methods so it is easy maintain and secure. – user3514987 Aug 03 '15 at 14:07
  • @user3514987 My original comment has the link to Web API. And yes, ASMX is outdated, that's what the link to John Saunders blog in my comment described. – mason Aug 03 '15 at 14:09

2 Answers2

2

WCF or Web API seem to be the better solutions to grant access to some resources in your database than ASMX, since that feature has been phased out some time already.

If you use WebAPI, you can use the Authorize attribute that will prevent access to a certain method if the user isn't authorized to. WCF doesn't have this out of the box, but there are workarounds for this.

Community
  • 1
  • 1
Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
1

As a direct answer to your question if you wanted to use ASMX (which I don't recommend anymore) you can simply check if the user is authenticated.

if(HttpContext.Current.Request.IsAuthenticated)
{
    //continue normal code here
}
else
{
    //probably should return an HTTP 401 Unauthorized code
    Response.StatusCode = 401;
    Response.End();
}

You could even abstract this out so that it's one method call at the start of the request, satisfying your "avoid a lot of code" requirement.

public class AsmxAuthenticationUtilities
{
    public static void VerifyUserIsAuthenticated()
    {
        if(!HttpContext.Current.Request.IsAuthenticated)
        {
            Response.StatusCode = 401;
            Response.End();
        }
    }
}

Then at the start of your ASMX methods, you can call AsmxAuthenticationUtilities.VerifyUserIsAuthenticated();.

mason
  • 31,774
  • 10
  • 77
  • 121
  • This seems to go beyond the "I really do not want to write a lot of duplicate code in the every method to check for this." Your code requires to be in every method. You'd better have a pre-request handler that filters those requests out based on name or someting. – Patrick Hofman Aug 03 '15 at 14:13
  • @PatrickHofman I believe ASMX follows the generic ASP.NET request pipeline, but doesn't have specialized pre-request handlers to hook into. So to write one, you'd need to pre-determine if the request will end up on an ASMX page, *then* determine is that particular method is allowed for unauthenticated users, perhaps by creating and applying an attribute, similar to the ones available in MVC and Web API. Not exactly trivial. I have however updated my answer with a pattern that will at least reduce the repetitive code so that it's no more code than applying an attribute. – mason Aug 03 '15 at 14:21
  • Nice work. +1. Indeed, one of the reasons to stay out of ASMX. – Patrick Hofman Aug 03 '15 at 14:21