Practical examples for establishing Web service security in .NET

• Tags:
• Example,
• Security,
• Simple,
• Add

Kevin Koch, Builder.com Builder.com

Published: 06 May 2003 13:08 BST

• 
• 
• 
• 
• 

The method then performs the authentication you need by verifying the user ID and password variables contained within the secureCtx object. If the LoginUser() method determines that the user is valid, it generates an authentication ticket that's inserted into the response's cookies collection.

The HelloWorld() method is an example of a method you would call on the Web service once your client is authenticated. This pattern requires less coding because you need to authenticate only once in a given session and wrap your Web service implementation logic with a simple check, like so:

• If Context.User.Identity.IsAuthenticated = True Then...

Client implementation
Once you've implemented the Web service and it's ready to go, you're ready to code the Web service consumer. The one drawback to this pattern is that the client must have cookies enabled to maintain the security ticket.

Typically, the client would be a Web browser, which obviously provides built-in cookie handling, assuming the user has not disabled it. But what if you want your Web service accessible by a desktop Windows application? Consuming Web services from a desktop application provides an incredible amount of power, flexibility, and extensibility. The sample code in Listing B shows how to consume your Web service from a Windows application.

To implement your Web service correctly, you must import System.Net.CookieContainer. This allows you to create an instance of a CookieContainer object, named cookieContainer1, which will store the authentication ticket returned by our LoginUser() method in the Web service.

Private WSObjAs New
Next, you need to create an instance of your Web service itself:

• SecureWebServiceTesterProxy.SecureWebServiceTester().

This must be declared globally at the form level because your authentication ticket must maintain state across the various methods implemented on your Windows Form. Within the New() method, which is generated by VS.NET, you set your Web service object's CookieContainer property to your cookieContainer1 object. This tells the Web service object to use your own cookie container object to store any cookies returned by your Web service.

To consume your Web service from another ASP.NET application, you would use nearly identical code with the exception of the manual cookie storage code.

Are you secure?The code samples in Listings A and B are simple demonstrations of how to programmatically secure your Web services by denying access to any client who does not have a validated authentication ticket. The level of security model complexity should be dictated by your business requirements. If your data sensitivity is high, you should take measures to ensure that your customer data is as secure and private as possible.

Go to section: Practical examples for establishing Web service security in .NET Page Two Page Three

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed