WCF in ASP.NET with authentication
-
I'm creating a WCF service to go in my ASP.NET application. I'm at the beginning stages so mostly what I have is design questions. So basically there is data that I would like people to pull out but only if they are authenticated. (Everyone pulling data would be external). The way my application is designed is I have a certain ID that associates users with a specific company. So my end goal is to allow people with those companies to query data for their company only. So my thought was to create a table in my database that would have three columns. CompanyID, UserKey, UserSecret. My thought was that they would somehow pass the userkey and usersecret when they first initiate the connection to WCF. On the backend it will retrieve the CompanyID based off the key and secret. The reason for doing this is so when they call GetAllUsers() it will only get all users for their company and not other companies. So my questions are: * Is my design wrong or is there a better way to accomplish this? * I chose not to use active directory authentication due to the added time it will take to authenticate a user against AD vs SQL I was thinking along the lines of the way SoapHeaders work. They set the SoapHeader when they create teh connection. Then each method on the web service would compare the key & secret against the database to make sure it existed (if it did I would get the CompanyID back and use that for the methods such as GetAllUsers() ) Thanks in advanced!
-
I'm creating a WCF service to go in my ASP.NET application. I'm at the beginning stages so mostly what I have is design questions. So basically there is data that I would like people to pull out but only if they are authenticated. (Everyone pulling data would be external). The way my application is designed is I have a certain ID that associates users with a specific company. So my end goal is to allow people with those companies to query data for their company only. So my thought was to create a table in my database that would have three columns. CompanyID, UserKey, UserSecret. My thought was that they would somehow pass the userkey and usersecret when they first initiate the connection to WCF. On the backend it will retrieve the CompanyID based off the key and secret. The reason for doing this is so when they call GetAllUsers() it will only get all users for their company and not other companies. So my questions are: * Is my design wrong or is there a better way to accomplish this? * I chose not to use active directory authentication due to the added time it will take to authenticate a user against AD vs SQL I was thinking along the lines of the way SoapHeaders work. They set the SoapHeader when they create teh connection. Then each method on the web service would compare the key & secret against the database to make sure it existed (if it did I would get the CompanyID back and use that for the methods such as GetAllUsers() ) Thanks in advanced!
Here is what i'm trying to do but having issues getting it to work since SecureAuthHeader is always null:
[DataContract]
public class SecureAuthHeader
{
[DataMember]
public string UserKey { get; set; }\[DataMember\] public string UserSecret { get; set; } } \[AspNetCompatibilityRequirements(RequirementsMode=AspNetCompatibilityRequirementsMode.Allowed)\] \[ServiceBehavior(InstanceContextMode=InstanceContextMode.PerSession)\] public class CPApi : ICPApi { public SecureAuthHeader Authentication; public void SetAuthentication(string \_userkey, string \_usersecret) { Authentication = new SecureAuthHeader(); Authentication.UserKey = \_userkey; Authentication.UserSecret = \_usersecret; } public List GetAllUsers() { string companyCode = IsAuthenticated; // MORE HERE } private string IsAuthenticated { get { if (Authentication == null) throw new FaultException("You must authenticate first."); try { DataTable ds = SqlLibrary.ReadSql("SELECT CompanyID FROM ApiAccess WHERE CustomerKey=@CustomerKey AND CustomerSecret=@CustomerSecret", new SqlParameter\[\] { new SqlParameter("CustomerKey", Authentication.UserKey), new SqlParameter("CustomerSecret", Authentication.UserSecret) }); if (ds == null || ds.Rows.Count == 0) throw new FaultException("Invalid authentication."); return ds.Rows\[0\]\["CompanyID"\].ToString(); } catch (Exception ex) { throw new FaultException(ex.Message); } } }