Forms Authentication

[Fresno Bob]

I am using ado.net dataservices. I would like to lock them down with forms
authentication so my client web apps (which may be on different machines)
can call them. Ideally I would like to specify a username/password and gain
access to the services in my application. Is there a way of doing this. I
was under the impression data services are built on top of WCF how does one
do this with WCF. I am quite new to this so no answer is too basic

 

[Gregory A. Beamer]

Let me make sure I understand the issue. You have web apps and you want them
to use web services (using WCF). You want to secure the web services with
forms auth?

If that is the case, you need to secure he web services with something else.
You have the full WS-Security specs in the WCF. With this you can assign
certs to your web apps, if that is the need. If the services are behind a
firewall, you can break this down a bit (ie, they are not publicly exposed
at all), but a cert is the most sure. If you also wish to add a token, that
is fine. You can also make it harder to crack the services by passing
objects in for the calls, as this will make hacking more difficult. There
are other things you can do with WCF and the WS-* specifications, so I would
dig in that direction if you want ideas.

If you are talking about securing the web application, then forms
authentication is a good direction to go, as there is user interaction.

If this is an immediate concern, those are pretty much your options. If you
are a bit farther out, you can look into the Geneva project (claims based
security), as it provides a very easy model for security and can use a pass
through model from web app to WCF service, etc.

 

[Fresno Bob]

Is there no way I can set a username and password and pass it to the data
services as if were logging in.

I have an ado.net dataservice (3.5 stuff) which exposes an entity model as a
RESTful interface. I have applications I would like to be able to call this
interface. I have tried locking down the data service with Forms
Authentication but I can't figure out how to send the credentials to the
data service from the application.

 

[Gregory A. Beamer]

You can certainly pass things through, ala some form of impersonation. The
issue, however, is you cannot restrict a clever person from sniffing out the
actual hit to the web service, which is something you stated a desire for.
Is each actual user going to have web service access, but only through the
web site? If so, consider a single user to hit the web service, as it will
be easier to maintain, unless all security is ultimately handled by the web
service.