I have an ASP.Net MVC app where I want to allow clients to download data via a webservice. However, I want to only allow authenticated clients to accesses their data.
At first I added deny users="*" to the path in my web.config, but this creates difficulty when trying to add the webservice as a reference because I already have forms authentication for the application (redirecting to my login page). By difficulty I mean, when you try add the service reference in VS you get redirected to the login page. You then get weirdness trying to login (in the browser within the Add Services screen) as the page keeps refreshing.
My current solution is to not have deny users="*" and just check "IsAuthenticated" for each method, which isn't too bad because there are only a few methods, however this does expose the available web methods which makes it less secure?
Any suggestions or better solutions?