Re: WebService Windows Authentication ASP.NET 2.0

Thank you both for you replies. If I have to use Dominicks solution I have
to refactor my web service, but that is of course an option.

Are there any good examples available when web services are using method
based windows authentication?

Thanks

Henrik

I guess that I could refactor my web service
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631985cf8c8182f2260ea50@xxxxxxxxxxxxxxxxxxxxx
why not simply use a <authorization> element -

at least with
<deny users="?" />

and if it is granular enough to set the authorization on file basis - use
a location element for individual AuthZ settings for the .asmx files.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

It will be security as long as you configure IIS to only allow
authenticated users (via Basic, Digest and or IWA).

I'm not a big fan of using the PrincipalPermission as it generally
requires you to hard code stuff you should be putting in configuration
(user and group names). I like calling IsInRole directly so that you
can supply the values at runtime. PrincipalPermission just calls
IsInRole under the hood anyway. But, you can use it if you want.

Joe K.

"Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
news:egeJ75gSGHA.1728@xxxxxxxxxxxxxxxxxxxxxxx

Hi,

I have created a web service which I am calling from InfoPath, a
WinForms application and an ASP.NET Web Application.

I would now like to implement some security. The web service is only
being used inside a corporate network, so I can use Windows-based
security.

How secure is it if I use:

<authentication mode="Windows" />

in my web.config, and then put a PrincipalPermission on each method?

Is this the right way of doing it?

Thanks

Henrik.





.

Relevant Pages

  • RE: Basic question about creating/setting up webservices
    ... Is the reason you want to refactor your application related to wanting to ... web service due to issues with state-vs-statelessness, ... or allow the caller to make assumptions about statefulness in the ... >take a c# class and generate a webservice proxy/asmx file? ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Design Question
    ... >> the declaration of the PrincipalPermission attribute and the call to ... Implement the check as a custom permission with a corresponding ... If I want to check permission on each public method of a web service, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: WebService Windows Authentication ASP.NET 2.0
    ... If you have multiple methods in the same asmx file, ... location and authorization tags. ... can either create a PrincipalPermission and call its demand method OR you ... to refactor my web service, but that is of course an option. ...
    (microsoft.public.dotnet.security)
  • Re: WebService Windows Authentication ASP.NET 2.0
    ... PrincipalPermission and call its demand method OR you can do ... app but are actual Windows principal names. ... have to refactor my web service, but that is of course an option. ... I like calling IsInRole ...
    (microsoft.public.dotnet.security)
  • Re: WebService Windows Authentication ASP.NET 2.0
    ... PrincipalPermission and call its demand method OR you can do ... app but are actual Windows principal names. ... have to refactor my web service, but that is of course an option. ... I like calling IsInRole ...
    (microsoft.public.dotnet.security)