Principal Permission and Web Service Security

I am developing a Web Service and want to find a good way to authenticate and authorize users to use the service. I have looked into Role-Based Security Check and done some investigation on PrincipalPermission and Web Sevice Security. Here are the things I have found out so far:

PrincipalPermission

1 System.Threading.Thread.CurrentPrincipal.Identity stores the Identity of the Current Principal

2 Use PrincipalPermission declaratively – [PrincipalPermission(SecurityAction.Demand, Role ="Administrators")]. The downside of that is the Role have to be hardcoded to the attribute.

3. Use PrincipalPermission imperatively:

PrincipalPermission p = new PrincipalPermission(“user’, “role”);
p.Demand();

p.Demand() is checking that if the current principal (System.Threading.Thread.CurrentPrincipal) matches the principal specified by the current permission.

Web Service Security

1 ASMX web service is actually an ASP.Net application. It’s mapped to aspnet_isapi.dll. Therefore we can use ASP.Net security mechanism to authenticate and authorize web service.

2 When writing a web service, it’s better to inherit from System.Web.Services.WebService becuase the class provides direct access to common ASP.Net objects. There is a User property in this class that gets the ASP.Net server System.Web.HttpContext.User object and can be used to autenticate whether a user is authorized to execute the request

3 Select Authentication mode from ASP.Net Configuration Settings

4 If using Windows authentication, you can set the authentication scheme from IIS -> Directory Security -> Authentication and access control to control the authentication of the web service

5 You can also set your authentication mode in Web.config

6 Select “None” for authentication mode if you want to use custom authication

7 Do not use “Form” or “Passport” Authentication for web service as they needed redirection to the login page

8 You can use ASP.Net Authorization (e.g. use IIS or web.config) to handle authorization on Web Service. However, I think the downside of that is you can only control it in page level but not method level.

9 You can use .Net Role Security Check to hanlde authorization on Web Service. This way authorization can be handled in method level  

Good article for web service security: http://www.15seconds.com/issue/020312.htm

 

This entry was posted on Thursday, April 10th, 2008 at 8:43 am and is filed under .Net, Security, Web Service. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply