I'm creating a web service that'll be called from a web form in asp.net. How does the web service check if the user is logged-in and if it is the logged-in user that's actually requesting the service?
thanks
A:
It cannot. Since you're going to call the web service from ASP.NET, you're building a 3-tier application.
Tier 1 is the browser and tier 2 is ASP.NET web application. They share cookies and session variables, so ASP.NET can always authenticate the user. And you already know that.
Tier 3 is the web service. Communication between 2 and 3 is done over a different HTTP connection, sharing different cookies (actually none) and session variables (again, actually none because calls are stateless).
You then have no way to allow the web service on tier 3 to authenticate the client on tier 1.
HOWEVER...............
There is still a possibility, but only if your web service is local to your ASP.NET webapp. That's unlikely to occur, really, because web services are made for remote calls, not local calls. I don't think it's your case.
djechelon
2010-10-29 00:36:24
@djechelon: how do I setup a webservice for local calls only?
2010-10-29 01:01:42
You actually remove the .asmx file and keep only the .cs file of your service. **I mean**, you can implement your *abstract* service not as a web service but as a class within your web application. You will then be able to call it only locally. The Web Service techology is useful only for remote calls. Local services are implemented by regular classes :) that's all
djechelon
2010-10-29 01:04:36
@dkechelon You can get the cookies and session from web services... http://msdn.microsoft.com/en-us/library/aa480509.aspx
Aristos
2010-10-29 01:06:55
Aristos please don't confuse the tiers!! When the ASP.NET server (serving the .aspx web form) invokes the web service, it instantiates a brand new HTTP proxy. It doesn't propagate cookies from its client. As it's written in the article, "System.Web.Services.Protocols.SoapHttpClientProtocol class does not have an instance of the System.Net.CookieContainer class". But you can always write new Service().Method() in your web form. THAT will work (local call to object)
djechelon
2010-10-29 01:13:36
A:
If this is a local web service, as djechelon suggests, They will share session state you are all set. Use djechelon's answer, ignore mine :)
If not: ask the larger question: what is stoping someone from calling your web service outside the context of your web app: using a tool like soapUI?
1) lock down your service (using WCF Security). http://msdn.microsoft.com/en-us/library/ms731925.aspx
2) create a local webservice that checks authentication/authorization, and calls the webservice: passing the authorization information.
This is one approach that values the operation the WS performs over redundant Webservice calls. It is your disgression if a WS that calls another fits your performance needs.
brian chandley
2010-10-29 01:00:10