Access control to web service

Question

This is what I wish to achieve:

My ASP.NET web service is hosted on a server called //service. I want to control access to the web service by server and by application as well. What I mean here is if I have two ASP.NET web applications (app1 and app2) hosted on a server called //web1 and I only want //web1/app1 to be able to call the web service. I know that I can grant access to the IP address of //web1 but that would allow both //web1/app1 and //web1/app2 access to the web service.

I am thinking about using an SSL certificate as I don't want the web application to handle the login/password. on //service, I will grant access to the ip of //web1 and map a client certificate from //web1 to a windows account and this will allow only applications from //web1 to access. But then how do I further control the access to only //web1/app1?

Answer 1

You can use standard HTTP Authentication to control which applications have access to your web service.

Credentials are passed in the Authorization header with each request. Every web service client (i.e. //web1/app1) should have its own credentials, so if //web1/app2 tried to connect to the web service without providing recognized credentials, it would be denied access.

I recommend using SSL to encrypt all traffic, so that authentication information and other sensitive data is secure.

Here are a few articles that may be helpful:

• HTTP Security and ASP.NET Web Services (see Authentication section)
• Authentication in ASP.NET Web Services

Good luck!

Answer 2

Thanks David!

I should have added these:

• I would like to set up a server that will host all the web services
• All client applications that need access to one of the web service in the server will need approval
• I don't want to give away any login credential to the client application

So the flow process is as follow:

• client application //web1/app1 applies for approval to connect to one of the web service ws on /service
• approved. //service will grant IP access to the //web1/app1 and map the client certificate to a window login that have access right to /service/ws
• /web1/app1 will use a server certificate issued from /service to connect to /service/ws

Can you tell me if this is the correct way to use certificate to authenticate web service?

Answer 3

Not really.

A certificate secures the transmission between the client and server domain. It doesn't really work to have multiple certificates for multiple subdirectories.

What you'd want to do is to create a login service that returns a token. You then use that token to manage the session on the server side and the client uses it along with every subsequent request to access and execute the available services. (can this token access this webservice? t/f)

You're going to have to give the client access to some sort of credentials. Whether that is a certificate exchange or a user/pass you're going to have to figure out who the client actually is.