3

I have a C# ASP.NET 3.5 web application which uses forms authentication. Users log in with their username and password on login.aspx, are authenicated using a custom authentication logic and are then directed to input.aspx, where they enter some parameters and get response on output.aspx. If they try to access input.aspx without authenticating themselves, they are redirected to login.aspx.

The same users want to be able to use the functionality of this web application without using the UI, from Unix environment. So I added a web service file (.asmx) to this web application. I didn't create a separate project for this web service because the web service uses code files, code in global.asax of the existing web application and I should not duplicate that code for the web service.

The web service functionality works fine now, though I don't know how to authenticate the users. The web service client will send username and password once (maybe using a 'login' webmethod, which I can write to authenticate them) and then should be able to send multiple requests (maybe until they call a 'logout' webmethod or until their session/cookies expire).

For web requests to not get redirected to login.aspx page, I excluded the .asmx file from Forms authentication using the location tag in web.config. (I don't know if that's the way to go.) But then I am thinking that the user is not then authenticated in the web application and so the web application code that the service uses, won't be accessible, right?

Improve this question

1 Answer 1

Reset to default
2

I would recommend a quick read on this link (http://msdn.microsoft.com/en-us/library/ms977327.aspx) and then follow it up with this one (http://msdn.microsoft.com/en-us/library/9z52by6a(VS.80).aspx). A custom security header is probably where you want to go to secure your web service outside of forms authentication. It does mean that each method call needs to have the header supplied though.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Thanks. When the web service authenticates the user, the web application needs to know that this user has logged in, similar to when the user logs in using a web form login.aspx.
That's what the SOAP header can accomplish. The credentials embedded in it can be the same. They just have to be passed/attached for each request.
Ok Thanks, so if user credentials are passed in SOAP headers in a web request, will the request not be redirected to the login.aspx page?
No, if you exclude it from FormsAuthentication as you mentioned, then the SOAP header would have to be processed independently of that. However, as you will read, the authentication source can be the same mechanism.
Ok thanks, so will the code in global.asax, .cs files and data in cached datasets in the web application be available to the web service? I was reading: code-magazine.com/… Will the Log-in method from this article suffice? The client should pass the login credentials just once though.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.