Securing a web method
-
Is it possible to have few secure and few unsecure web methods within a webservice. If yes, how?
Gurpreet
-
Is it possible to have few secure and few unsecure web methods within a webservice. If yes, how?
Gurpreet
Put the security within the webmethod call itself. I have a service that does that .. some methods are "public" others are only accessible by users in particular security groups. So the secure web methods have an if around all the code that checks if the user is allowed to use it. The Webservice implements Integrated Windows Authentication so the user's identity is available and I have a procedure that decides whether a user is authorised or not.
-
Put the security within the webmethod call itself. I have a service that does that .. some methods are "public" others are only accessible by users in particular security groups. So the secure web methods have an if around all the code that checks if the user is allowed to use it. The Webservice implements Integrated Windows Authentication so the user's identity is available and I have a procedure that decides whether a user is authorised or not.
Could you provide me some example / code snippet to do that.
Gurpreet
-
Could you provide me some example / code snippet to do that.
Gurpreet
Well, not really because I don't know how you want to secure it. In my webmethods I have eg
if (isUserAuthorised(this.User.Identity.Name))
{
//do stuff in the web method} else
{
//return that they're unauthorised
}The isUserAuthorised method takes a string that is the user name and you can then do whatever you want to determine if they are infact allowed access. It depends on how you secure things. If you use AD groups then check whether the user is in the appropriate group (google for DirectoryEntry - there should be loads of examples out there and you'd be looking for something with objGroup.Invoke("IsMember" ...) I can't remember the exact syntax). If you have some database that says whether they're allowed in then call a stored procedure.