How to effectively authenticate the user calling a webservice?

Question

Hi,

In a multi-server environment, users will be able to use a page to put, update or delete files on the servers. I was considering using a webservice (on each server) called by the IIS thread to do that work (with an aspx management page).

However, for obvious reasons, I don't really want anyone to be able to call that webservice (by POSTing a well-formed request from their machines).

I am wondering what would be the most effective (in terms of complexity, scalability) way to ensure that the access to the webservice is restricted to my page (token? Sending the current user's Principal? I don't have access to their password so sending the login/password couple is out of the question)

Answer 1

You can associate a SHA1 hash with the IP address for each incoming request generated by the combination of the browser (e.g MSIE6.0 or FireFox3), IP address, username(if possible) and/or time, and store this in a DB (sqlite maybe) with an expiry time that is suitable to let the file uploads/transfer complete (say 1 hour). So for each request you can check for the associated hash with the IP address.

If by page you mean through a browser, then I suggest using a cookie to transfer the Hash.

Note: I say SHA1 hash because its 160 bits long (40 bytes). So collisions are not easy to come by especially if you use time in combination with something unique to the user to generate a digest.

I work on C++ so I've implemented a similar functionality in a CGI application.

Answer 2

You should be able to get the user that's calling the web service by getting the IPrinciple object stored at:

IPrinciple _currentUser = HttpContext.Current.User;

Once you get the current user, you should be able to do your validation on whether or not that user has the permissions to do whatever action they're attempting to do by either checking if the user is in the proper role, or whatever other means you have set up to check permissions.