tags:

views:

1017

answers:

4
+2  Q: 

Is it possible to secure a web service with Forms Authentication?

We are looking to secure a bunch of ASP.Net 2.0 .asmx web services. The which will host the web services is already forms authenticated.
Is it possible to secure the web services using forms authentication? What are the pros and cons and other possible ways to achieve this. We certainly don't want to pass a username/pwd or token in each web method call.

A: 

It is possible, but you will need to redirect users to a login page. Another option for passing username/pw is to use the web service over ssl. If you encrypt the connection, basic authentication can be used no problem.

jle  2009-02-17 05:36:04
+3  A: 

The thing with forms authentication is that its designed for people, where as a web service is designed to be consumed by a client application. While it is possible to do the authentication like this its the wrong way of thinking.

The level of secure obviously depends upon the sensitivity of data that you're working with, but I'm going to assume its at least somewhat secure (but less than bank transactions). You could perhaps use SSL and passing a username and password as jle suggested, while I was typing this, or you could require an api key much like flicker does.

Another more secure option is to only pass the username and password once (and with the security of ssl) and have that give out a token that is valid for a period of time. This has the benefit of protecting the password information, and avoiding the constant overhead of ssl.

As mentioned though, it highly depends on HOW sensitive the information is that you're trying to secure.

Vertis  2009-02-17 05:39:56
A: 

You should be able to use WSE to secure your service using forms authentication - though personally I've never had to do it.

Here are some resources using WSE:

To not use WSE you'd need to implement something like this as some of the other presponders have alluded to, though I'm not sure how reliable it would be:

brendan  2009-02-17 05:43:38
+1  A: 

WSE is obsolete. Do not use it unless you have no choice at all.

Almost all the functions of WSE are implemented better by WCF. The remaining capabilities, those not implemented by WCF, are obsolete themselves (DIME, for instance).

John Saunders  2009-02-17 18:25:00

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?