Re: WebService Windows Authentication ASP.NET 2.0
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Mar 2006 17:50:14 -0600
If you have multiple methods in the same asmx file, you can't really use the
location and authorization tags. That is unfortunate as they are really
clean, but so it goes.
My suggestion is that instead of using the PrincipalPermissionAttribute, you
can either create a PrincipalPermission and call its demand method OR you
can do HttpContext.Current.User.IsInRole and use that in an if statement
with your error condition of choice. Both do about the same thing.
My original comment about hard coding was directed towards the attribute,
not the PrincipalPermission itself. The problem with the attribute is that
you have to supply the role or user name at compile time, and that sucks if
your principal names are not abstract to your app but are actual Windows
principal names. It makes it nearly impossible to move your code between
environments in that case.
Anyway, I hope this gives you a good idea.
Joe K.
"Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
news:eQTTenhSGHA.4608@xxxxxxxxxxxxxxxxxxxxxxx
Thank you both for you replies. If I have to use Dominicks solution I have
to refactor my web service, but that is of course an option.
Are there any good examples available when web services are using method
based windows authentication?
Thanks
Henrik
I guess that I could refactor my web service
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631985cf8c8182f2260ea50@xxxxxxxxxxxxxxxxxxxxx
why not simply use a <authorization> element -
at least with
<deny users="?" />
and if it is granular enough to set the authorization on file basis - use
a location element for individual AuthZ settings for the .asmx files.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
It will be security as long as you configure IIS to only allow
authenticated users (via Basic, Digest and or IWA).
I'm not a big fan of using the PrincipalPermission as it generally
requires you to hard code stuff you should be putting in configuration
(user and group names). I like calling IsInRole directly so that you
can supply the values at runtime. PrincipalPermission just calls
IsInRole under the hood anyway. But, you can use it if you want.
Joe K.
"Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
news:egeJ75gSGHA.1728@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have created a web service which I am calling from InfoPath, a
WinForms application and an ASP.NET Web Application.
I would now like to implement some security. The web service is only
being used inside a corporate network, so I can use Windows-based
security.
How secure is it if I use:
<authentication mode="Windows" />
in my web.config, and then put a PrincipalPermission on each method?
Is this the right way of doing it?
Thanks
Henrik.
.
- Follow-Ups:
- Re: WebService Windows Authentication ASP.NET 2.0
- From: Dominick Baier [DevelopMentor]
- Re: WebService Windows Authentication ASP.NET 2.0
- References:
- Re: WebService Windows Authentication ASP.NET 2.0
- From: Joe Kaplan \(MVP - ADSI\)
- Re: WebService Windows Authentication ASP.NET 2.0
- From: Dominick Baier [DevelopMentor]
- Re: WebService Windows Authentication ASP.NET 2.0
- From: Henrik Skak Pedersen
- Re: WebService Windows Authentication ASP.NET 2.0
- Prev by Date: Re: WebService Windows Authentication ASP.NET 2.0
- Next by Date: Re: WebService Windows Authentication ASP.NET 2.0
- Previous by thread: Re: WebService Windows Authentication ASP.NET 2.0
- Next by thread: Re: WebService Windows Authentication ASP.NET 2.0
- Index(es):
Relevant Pages
|
