XML Webservice authentication

Discussion in 'ASP .Net Security' started by Dominick Baier [DevelopMentor], Mar 1, 2006.

  1. Hi,

    formsauth is not supported - i wouldn't recommend using cookies - the "web
    service way" would be to use a SOAP header. Thats basically what WS-Security
    specifies. Have a look at WSE3 here: http://msdn.microsoft.com/webservices/

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Is it possible to use FormAuthentication or do I have to manage my own
    > cookies and if so a sample/URL would be greatly appreciated.
    >
     
    Dominick Baier [DevelopMentor], Mar 1, 2006
    #1
    1. Advertising

  2. Hi,

    I would say that it depends what you are planning to do a and who is goinf
    to acess your web service and from where.

    In other words do you planned to published your web service or does your web
    service is part of your asp application.

    The most secure would be to use security feature of IIS and use Windows
    Authentication. Cookies are not secure and are mainly used to retain user
    information except sensitive data.

    If you want to provide FromAuthentication then you could keep in cookies a
    unique GUI corresponding to the user and then refer to that GUI from a
    database where you will extract information.

    hope it helps
    regards
    serge

    "GMG" wrote:

    > Is it possible to use FormAuthentication or do I have to manage my own
    > cookies and if so a sample/URL would be greatly appreciated.
    >
    >
    >
     
    serge calderara, Mar 1, 2006
    #2
    1. Advertising

  3. Dominick Baier [DevelopMentor]

    GMG Guest

    Is it possible to use FormAuthentication or do I have to manage my own
    cookies and if so a sample/URL would be greatly appreciated.
     
    GMG, Mar 1, 2006
    #3
  4. Dominick Baier [DevelopMentor]

    GMG Guest

    ok, the purpose of this xml webservice is to only return simple XML (not
    SOAP). It will serve the XML over the Internet to a third party application
    which will make the requests, but will need to be authenticated via a
    cookie. How can I achieve this in my Web Service ?

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    >
    > formsauth is not supported - i wouldn't recommend using cookies - the "web
    > service way" would be to use a SOAP header. Thats basically what

    WS-Security
    > specifies. Have a look at WSE3 here:

    http://msdn.microsoft.com/webservices/
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Is it possible to use FormAuthentication or do I have to manage my own
    > > cookies and if so a sample/URL would be greatly appreciated.
    > >

    >
    >
     
    GMG, Mar 2, 2006
    #4
  5. Dominick Baier [DevelopMentor]

    Josh Twist Guest

    One of the key features FormsAuthentication offers is automatic
    redirect for non-logged in users to a login page. As I'm sure you'll
    appreciate this makes no sense in the context of a web service.

    Most web services don't use cookies in this way, they simply request
    the username/password with each request. You can even use WSE
    (http://msdn.microsoft.com/webservices/building/wse/) to help you do
    this in an industry standard way (WS-Security standard).

    If you have any questions about any of this - just shout!

    Josh
    http://www.thejoyofcode.com/
     
    Josh Twist, Mar 2, 2006
    #5
  6. Hi,

    what do you mean with "but will need to be authenticated via a cookie" ??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > ok, the purpose of this xml webservice is to only return simple XML
    > (not SOAP). It will serve the XML over the Internet to a third party
    > application which will make the requests, but will need to be
    > authenticated via a cookie. How can I achieve this in my Web Service ?
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hi,
    >>
    >> formsauth is not supported - i wouldn't recommend using cookies - the
    >> "web service way" would be to use a SOAP header. Thats basically what
    >>

    > WS-Security
    >
    >> specifies. Have a look at WSE3 here:
    >>

    > http://msdn.microsoft.com/webservices/
    >
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Is it possible to use FormAuthentication or do I have to manage my
    >>> own cookies and if so a sample/URL would be greatly appreciated.
    >>>
     
    Dominick Baier [DevelopMentor], Mar 2, 2006
    #6
  7. aha -

    so you have a web application which already does authentication using forms
    and on some pages you call a webservice..?


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > The client will be Internet Explorer HTML pages using XML Data Island
    > technology, the only solution I can see is to use cookies, but I am
    > new to Web Services so may be there is a better techonology I can use.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hi,
    >>
    >> what do you mean with "but will need to be authenticated via a
    >> cookie" ??
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> ok, the purpose of this xml webservice is to only return simple XML
    >>> (not SOAP). It will serve the XML over the Internet to a third party
    >>> application which will make the requests, but will need to be
    >>> authenticated via a cookie. How can I achieve this in my Web Service
    >>> ?
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> Hi,
    >>>>
    >>>> formsauth is not supported - i wouldn't recommend using cookies -
    >>>> the "web service way" would be to use a SOAP header. Thats
    >>>> basically what
    >>>>
    >>> WS-Security
    >>>
    >>>> specifies. Have a look at WSE3 here:
    >>>>
    >>> http://msdn.microsoft.com/webservices/
    >>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Is it possible to use FormAuthentication or do I have to manage my
    >>>>> own cookies and if so a sample/URL would be greatly appreciated.
    >>>>>
     
    Dominick Baier [DevelopMentor], Mar 3, 2006
    #7
  8. if i am right with this assumption - you can use formsauth - just use the
    authorization element -

    you have to make sure that the data island xml call sends the formsauth cookie
    - i am not sure if this happens by default/how it works.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > aha -
    >
    > so you have a web application which already does authentication using
    > forms and on some pages you call a webservice..?
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >> The client will be Internet Explorer HTML pages using XML Data Island
    >> technology, the only solution I can see is to use cookies, but I am
    >> new to Web Services so may be there is a better techonology I can
    >> use.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hi,
    >>>
    >>> what do you mean with "but will need to be authenticated via a
    >>> cookie" ??
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> ok, the purpose of this xml webservice is to only return simple XML
    >>>> (not SOAP). It will serve the XML over the Internet to a third
    >>>> party application which will make the requests, but will need to be
    >>>> authenticated via a cookie. How can I achieve this in my Web
    >>>> Service ?
    >>>>
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> Hi,
    >>>>>
    >>>>> formsauth is not supported - i wouldn't recommend using cookies -
    >>>>> the "web service way" would be to use a SOAP header. Thats
    >>>>> basically what
    >>>>>
    >>>> WS-Security
    >>>>
    >>>>> specifies. Have a look at WSE3 here:
    >>>>>
    >>>> http://msdn.microsoft.com/webservices/
    >>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Is it possible to use FormAuthentication or do I have to manage
    >>>>>> my own cookies and if so a sample/URL would be greatly
    >>>>>> appreciated.
    >>>>>>
     
    Dominick Baier [DevelopMentor], Mar 3, 2006
    #8
  9. Dominick Baier [DevelopMentor]

    GMG Guest

    The client will be Internet Explorer HTML pages using XML Data Island
    technology, the only solution I can see is to use cookies, but I am new to
    Web Services so may be there is a better techonology I can use.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    >
    > what do you mean with "but will need to be authenticated via a cookie" ??
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > ok, the purpose of this xml webservice is to only return simple XML
    > > (not SOAP). It will serve the XML over the Internet to a third party
    > > application which will make the requests, but will need to be
    > > authenticated via a cookie. How can I achieve this in my Web Service ?
    > >
    > > "Dominick Baier [DevelopMentor]"
    > > <> wrote in message
    > > news:...
    > >
    > >> Hi,
    > >>
    > >> formsauth is not supported - i wouldn't recommend using cookies - the
    > >> "web service way" would be to use a SOAP header. Thats basically what
    > >>

    > > WS-Security
    > >
    > >> specifies. Have a look at WSE3 here:
    > >>

    > > http://msdn.microsoft.com/webservices/
    > >
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Is it possible to use FormAuthentication or do I have to manage my
    > >>> own cookies and if so a sample/URL would be greatly appreciated.
    > >>>

    >
    >
     
    GMG, Mar 3, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. batista
    Replies:
    1
    Views:
    940
    Laurent Bugnion
    Jan 26, 2006
  2. batista
    Replies:
    0
    Views:
    575
    batista
    Jan 26, 2006
  3. Mr. x
    Replies:
    2
    Views:
    729
    Andrew
    Oct 10, 2003
  4. serge calderara

    XML Webservice authentication

    serge calderara, Mar 1, 2006, in forum: ASP .Net Web Services
    Replies:
    2
    Views:
    106
    Josh Twist
    Mar 2, 2006
  5. jens Jensen
    Replies:
    0
    Views:
    151
    jens Jensen
    Apr 28, 2006
Loading...

Share This Page