tags:

views:

399

answers:

1
Q: 

how to authenticate user of ASP.NET web service which is part of ASP.NET web application?

I have a C# ASP.NET 3.5 web application which uses forms authentication. Users log in with their username and password on login.aspx, are authenicated using a custom authentication logic and are then directed to input.aspx, where they enter some parameters and get response on output.aspx. If they try to access input.aspx without authenticating themselves, they are redirected to login.aspx.

The same users want to be able to use the functionality of this web application without using the UI, from Unix environment. So I added a web service file (.asmx) to this web application. I didn't create a separate project for this web service because the web service uses code files, code in global.asax of the existing web application and I should not duplicate that code for the web service.

The web service functionality works fine now, though I don't know how to authenticate the users. The web service client will send username and password once (maybe using a 'login' webmethod, which I can write to authenticate them) and then should be able to send multiple requests (maybe until they call a 'logout' webmethod or until their session/cookies expire).

For web requests to not get redirected to login.aspx page, I excluded the .asmx file from Forms authentication using the location tag in web.config. (I don't know if that's the way to go.) But then I am thinking that the user is not then authenticated in the web application and so the web application code that the service uses, won't be accessible, right?

+1  A: 

I would recommend a quick read on this link (http://msdn.microsoft.com/en-us/library/ms977327.aspx) and then follow it up with this one (http://msdn.microsoft.com/en-us/library/9z52by6a(VS.80).aspx). A custom security header is probably where you want to go to secure your web service outside of forms authentication. It does mean that each method call needs to have the header supplied though.

Joel Etherton  2010-01-21 19:35:54
Thanks. When the web service authenticates the user, the web application needs to know that this user has logged in, similar to when the user logs in using a web form login.aspx.
engg  2010-01-21 19:44:52
That's what the SOAP header can accomplish. The credentials embedded in it can be the same. They just have to be passed/attached for each request.
Joel Etherton  2010-01-21 19:48:25
Ok Thanks, so if user credentials are passed in SOAP headers in a web request, will the request not be redirected to the login.aspx page?
engg  2010-01-21 20:40:51
No, if you exclude it from FormsAuthentication as you mentioned, then the SOAP header would have to be processed independently of that. However, as you will read, the authentication source can be the same mechanism.
Joel Etherton  2010-01-21 20:51:56
engg  2010-01-21 21:28:58
I just need to somehow simulate user logging in on login.aspx by providing username, password using the web application UI.
engg  2010-01-21 21:37:57
Yah, all global application code is accessible. The login methods in that article should work, but as the article states, each request to the web service will need separate authentication. I'm not sure what client you are referring to. It doesn't seem to be a web browser I'm thinking. If you are building this client, you could create a proxy for the web service and the proxy would handle the authentication without the UI ever being aware of it.
Joel Etherton  2010-01-21 21:39:02
Thanks. The web service client is going to be on Unix. It's not a web browser. That article says that authentication is required on the first call only. I will try it out.
engg  2010-01-21 21:56:42
Joel, I will get back soon. Thanks for your prompt comments.
engg  2010-01-22 18:05:35
Joel, I am working on something else these days. I will update when I get back. Thanks.
engg  2010-02-02 20:51:59

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?