1

I have an asp.net web application in which i use several we services to serve several ajax requests. The problem is how to determine whether the corresponding call comes the page that i have served. I use forms authentication in my pages. Is there any way in which i can authorise the user calling the weservice through the same forms authentication.

Jishnu A P
  • 14,202
  • 8
  • 40
  • 50

2 Answers2

1

This reminds me an old question I already answered to. Your scenario is different, but the root problem remains the same: if you call a web service from a Web Form, how to share authentication data with the form?

There is no simple and close-form solution to that. You can think about implementing WS-Security into the Web Service, and have the Web Form authenticate itself against the Web Service after checking that the user is authorized.

The Web Service won't share information about user login unless explicitly passed as parameter method (ie. void PerformAction(string userId, ...)), but remember that in this case the perspective changes dramatically.

This is the best idea that comes into my mind, however, keep in mind that either you deeply redesign your web service or you are unable to let user-generated clients (ie. desktop applications compiled against your WSDL) to use your service.

[Add] now that you explained your scenario a little bit more detailed, here comes the exciting part of software engineering :)

As I said in my comment, you have multiple options, for example:

  1. Storing username/password in page's markup (in Javascript variables) and have JQuery send them as a parameter for the web service. WS will then authenticate the request basing on that data. Unrecommended because if someone can access user cache the password is exploited (there are easier means to stole someone's password on a shared/public computer, I won't discuss them), and also because if you plan to switch from plain HTTP to HTTPS to secure authentication then you must secure the web service too
  2. Have web application generate an authentication token that is valid for the web service. The idea sounds like this: first, have a shared object between webapp and web service (like an object inside Application collection) or, if webapp and web service are on different servers, use a DBMS; then, for each webapp's successful authentication, generate a unique token (session ID can be fine) and store it in a JS variable that will be passed to web service; finally, when web service is invoked, check against that shared object that the token is valid (ie. user is authenticated and still logged in, with permission to access that web service, so both authentication and authorization), otherwise reject
Nimantha
  • 6,405
  • 6
  • 28
  • 69
usr-local-ΕΨΗΕΛΩΝ
  • 26,101
  • 30
  • 154
  • 305
  • I am calling the service via script(jQuery) i dont think that the authenication information can be explicitly passed via using script. – Jishnu A P Jan 05 '11 at 07:17
  • That seems a problem... Of course you could store your username/password in the page's markup and send them via JQuery, but I wouldn't suggest it. A smarter approach is to use a *token*. Editing and explaining how. – usr-local-ΕΨΗΕΛΩΝ Jan 05 '11 at 07:18
  • But the cookies are probably passed, therefore if you're using Forms Authentication you might get an information about the authenticated user (through the Forms Authentication ticket). – volpav Jan 05 '11 at 07:20
  • Probably you say? I'm not sure... it depends on the browser and the privacy level IMHO. Anyway if you are sure that cookies are passed, you can perform cookie authentication or use the active **Session** (ASP.NET uses cookied sessions) – usr-local-ΕΨΗΕΛΩΝ Jan 05 '11 at 07:27
  • Passing forms authentication cookies seems to be probable.. but what if user choses to turn off cookies? – Jishnu A P Jan 05 '11 at 07:36
  • Then no cookie is passed and you have troubles ;). ASP.NET can detect if cookies are disabled and use URL sessions for web forms. But that doesn't apply to web services, for which you must then follow one of my advices – usr-local-ΕΨΗΕΛΩΝ Jan 05 '11 at 07:41
  • Well that seems to be the most practical way of tackling the problem..Store the same token in the session and the HTMl markup.. and checking whether the request comes with the same token. – Jishnu A P Jan 05 '11 at 09:45
  • You can also increase security by checking if the IP matches ;) – usr-local-ΕΨΗΕΛΩΝ Jan 05 '11 at 12:05
0

Since you are doing Forums authentication you can do something like this in your WebMethod

If Not HttpContext.Current.User.Identity.IsAuthenticated Then
    Return Nothing
End If

It might be better to throw an exception if you are doing an GET though, that way the empty result doesn't get cached on the client side.

TonyB
  • 3,882
  • 2
  • 25
  • 22