Hey Everyone,
Are there any good examples out there of how the following webservice would work? I would like a windows/web client to be able to access a webservice, but the client should pass a username, password, and ip address and the webservice should be able to determine if it is on the list of allowed users or not before taking the request.
Thanks in advance!
With WCF, you can do this by using TransportWithMessageCredential security (over SSL) and providing your own password validator. At this point, however, you don't (I'm told) have access to the client IP; for that you'd need to check the IP in your method itself - you can do this using RemoteEndpointMessageProperty, like so.
If you don't want to go down the TransportWithMessageCredential route, then it is also valid (but ungainly) to pass the username and password as arguments to the method (as long as the transport is secure).
We have a WebService Login method that verifies supplied credentials. A ticket value is return if the user is validated.
This ticket is then used as a SoapHeader when using every other WebMethod. http://msdn.microsoft.com/en-us/library/system.web.services.protocols.soapheader.aspx
Well you can set the web service to use NT authentication which will get a token representing the username and password. The allowed users will be defined by the NT security. As far as the IP address goes that will be passed in the HTTP headers by default.