tags:

views:

331

answers:

4
+4  Q: 

Controlling which WebMethods get exposed externally in a WebService

I couldn't think of a decent title, so let me first apologize for that.

I have a WebService (call it A) written for my app so I can take advantage of ASP.NET 3.5 AJAX features. I use the generated JavaScript proxy to make AJAX calls.

As a side effect, WebService A is exposed for anyone to add as a reference to another project, which is great, except I don't want certain WebMethods to be available to external applications (in the same domain, BTW).

So I've got two questions:

  • Is there a way to control the exposure of WebMethods in WebService A?

If there isn't, I'm thinking I'll just add a separate WebService (B) that exposes the WebMethods I need from WebService A. But then,

  • How can I prevent other applications from referencing WebService A while still allowing the application it originates in to access it?

If that's not possible, I'm not really worried about it. The apps are all intranet-only, I just don't want the WebServices to be abused.

Also, there is a similar question here already without any good anwers. The asker describes almost the same situation I'm in: http://stackoverflow.com/questions/1909484/asp-net-webservice-deny-remote-access

A: 

I'd create a public webservice and a private one for security purposes.

Ariel  2010-01-11 17:37:35
Well, right, that's the idea, but **how** to make one "private" is my question.
Cory Larson  2010-01-12 16:43:55
I dont think there's a way to control that...
Ariel  2010-01-12 22:52:06
+1  A: 

To create that public/private webservices, you can to place your .asmx into another folder, create a new web.config file and to define your your authorized users inside a <authorization> section.

This document describe this configuration in details: Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication.

Rubens Farias  2010-01-14 00:23:50
Here's what I ended up doing: I added a new project to my solution that contained the "external" service and published it to a new location so I can control the authentication and authorization separately from my main application.
Cory Larson  2010-03-07 17:18:02
A: 

You could us a custom SOAP header in the service to require credentials to be passed to the methods you wanted to protect. This would still "expose" the methods but they would be inaccessible. Application X would be allowed to access all of the methods because it would be designed to use the appropriate security header, but application Y would be denied access (though it would be able to make use of any public types/enums, etc).

http://msdn.microsoft.com/en-us/library/ms819938.aspx

Joel Etherton  2010-01-17 14:04:06
+1  A: 

I use a standard web service with forms authentication as follows:

    ' ************************************
    ' **** Example with Windows Forms ****
    ' ************************************
    ' Taken from http://www.dotnetbips.com/articles/dbd724e9-78f0-4a05-adfb-190d151103b2.aspx
    ' **** Login *************************
    '   Dim x As New localhost.Service1()
    '   Dim cc As New CookieContainer()
    '   Dim sessioncookie As Cookie
    '   Dim cookiecoll As New CookieCollection()

    '   x.CookieContainer = cc
    '   x.Login("user1", "password1")
    '   cookiecoll = x.CookieContainer.GetCookies
    '   (New Uri("http://localhost"))
    '   Session("sessioncookie") = cookiecoll("CookieName")
    ' **** Logout ************************
    '   Dim x As New localhost.Service1()
    '   Dim cc As New System.Net.CookieContainer()
    '   Dim sessioncookie As New System.Net.Cookie()
    '   x.CookieContainer = cc
    '   sessioncookie = CType(Session("sessioncookie"), 
    '   System.Net.Cookie)
    '   If Not sessioncookie Is Nothing Then
    '   '   x.CookieContainer.Add(sessioncookie)
    '   End If
    '   x.Logout()
    '   Session.Remove("sessioncookie")
    ' ************************************

    <WebMethod()> _
    Public Function Login(ByVal UserName As String, ByVal Password As String) As Boolean
        If UserName.Length > 0 And Password.Length > 0 Then
            If FormsAuthentication.Authenticate(UserName, Password) Then
                FormsAuthentication.SetAuthCookie(UserName, False)
                Return True
            End If
        Else
            Return False
        End If
    End Function

    Public Sub ValidateAuthentication()
        If Context.User.Identity.IsAuthenticated = False Then
            Throw New System.UnauthorizedAccessException("User is not authenticated.")
        End If
    End Sub

    <WebMethod()> _
    Public Sub Logout()
        If Context.User.Identity.IsAuthenticated = True Then
            FormsAuthentication.SignOut()
        End If
    End Sub
Rick Ratayczak  2010-01-17 15:40:15

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?