Best Practice Security

Discussion in 'ASP .Net' started by Steve B., Jan 25, 2006.

  1. Steve B.

    Steve B. Guest

    Hi,

    I've build an application based on some Web Services.

    Web Services are separated across some asmx files, according the business
    service it provides.

    In each web service, there are some webmethod that are accessible for all
    users, and some others one that requires more rights.

    What is the best way to set up the webservices?

    I'm using NT authentication, and I'll create some NT groups to create roles
    in the app.
    Is it the "correct" way ?

    How can I allow or deny a specific web method within each asmx files ?

    Thanks,
    Steve
     
    Steve B., Jan 25, 2006
    #1
    1. Advertising

  2. I'd suggest using different asmx files for each level of security required.
    You can apply Windows ACLs to restrict access by file.

    You can also put each file in its own subdirectory and use Windows security
    to restrict access to the subdirectory or you can put a web.config in each
    subdirectory with just an Authorization subsection (and appropriate
    supersections as required) to limit access using the "Allow" element. All of
    the rest of the configuration settings will take the parent (either a higher
    level folder with a web.config or the machine.config if no higher level
    web.configs exist) level setting and only the permissions will be set for the
    subfolders.

    As a last resort, if you want to limit access by WebMethod, you'd have to
    use impersonation and Windows integrated security on the clients, and use an
    IPrinciple.IsInRole method to establish the group membership for the user and
    just code the method to throw an exception or do nothing if the user is not
    authorized.

    --
    Dale Preston
    MCAD C#
    MCSE, MCDBA


    "Steve B." wrote:

    > Hi,
    >
    > I've build an application based on some Web Services.
    >
    > Web Services are separated across some asmx files, according the business
    > service it provides.
    >
    > In each web service, there are some webmethod that are accessible for all
    > users, and some others one that requires more rights.
    >
    > What is the best way to set up the webservices?
    >
    > I'm using NT authentication, and I'll create some NT groups to create roles
    > in the app.
    > Is it the "correct" way ?
    >
    > How can I allow or deny a specific web method within each asmx files ?
    >
    > Thanks,
    > Steve
    >
    >
    >
     
    =?Utf-8?B?RGFsZQ==?=, Jan 26, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Anders K. Jacobsen [DK]

    "Pattern" or "best practice" in security checks

    Anders K. Jacobsen [DK], Dec 5, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    357
    Johann MacDonagh
    Dec 6, 2004
  2. Patrick.O.Ige
    Replies:
    0
    Views:
    403
    Patrick.O.Ige
    Sep 30, 2005
  3. Anders K. Jacobsen [DK]

    "Pattern" or "best practice" in security checks

    Anders K. Jacobsen [DK], Dec 5, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    151
    Anders K. Jacobsen [DK]
    Dec 5, 2004
  4. naijacoder naijacoder

    best practice with intranet security and menu structure

    naijacoder naijacoder, Oct 1, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    126
    naijacoder naijacoder
    Oct 1, 2005
  5. Brian Greiwe

    WS-Security Best Practice?

    Brian Greiwe, Jan 29, 2004, in forum: ASP .Net Web Services
    Replies:
    7
    Views:
    138
    Brian Greiwe
    Feb 10, 2004
Loading...

Share This Page