tags:

views:

311

answers:

3
+3  Q: 

Custom role based Web Service access

Our CMS implements its own role based access control for content management and what not, much like all the other CMSs out there ;) I've recently been playing around with the idea of trying to implement an extension of this access control into our web service api, with the eventual idea of choosing which users have access to what methods.

Has anyone implemented something like this, or know of any good resources I might be able to look into to get the ball rolling on it.

Our development is done entirely in .NET 2.0, however if a principle exists in another language, I welcome it :)

+1  A: 

A custom SOAP Authorization Header is probably the most standard .NET 2.0 way to do this, check out this article on Experts Exchange, it gives a very simple implementation.

Basically, you define a SOAP header that passes the username and password on each service call. The service then has access to the credentials and can do any role lookup/authorization check it needs to and return the appropriate response. The username and password can come from Windows or can be inserted at runtime from config, etc. on the client side.

Guy Starbuck  2008-09-22 13:47:05
A: 

For our business we implemented a security web service that other web services connect to in order to validate the consumer that is calling them. It is based on Application Username, Password, Authentication Code, and Access Level. The consumer provides all of the information except the Access Level. This is provided by the method being called itself. The authentication code is a time sensitive code that is calculated by the consumer and verified by the security service and is only good for a window of time. A custom SOAP Authorization Header can be used for passing a lot of this information or you can pass it in the method call.

Access per Application User can be set on a per method basis or at a less granular Read/Write/Update/Delete/All level.

Web Site (App Username, Password, Authentication Code) ---> 
   Web Service (App Username, Password, Authentication Code, Access Level) -->
      Security Web Service (Returns True/False)

Hope this makes some sense!

pdavis  2008-09-22 13:53:32
A: 

When implementing Role Based security, I found that you first have to identify the operations that a particular user might perform. Once you have those, you can tie them together into roles; and, change them at will.

Think of each web method call as requiring one or more operations. Each method should accept the users name / password or token. The method will make one call to your database or other storage mechanism to determine whether the identified user does indeed have the required operations assigned to them. Then, if everything is good, execute the rest of the method.

It's actually not that complicated and extremely flexible.

Chris Lively  2008-10-03 05:03:11

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?