Advice sought on web services and authentication

[Ian B]

I'd really appreciate some pointers on web services etc. I'm a VB6
developer with a growing knowledge of vb.net and asp.net but I'm in
need of some direction!

Firstly, sorry about the X-posting but I've kept it to a minimum (2
groups).

I have a asp.net web application that uses a combination of SSL (for
anything in the secure folder) and forms authentication (for certain
pages in that secure folder). This has been developed using VS.Net
2003.

I now want to add a web service to the application. This web service
will require SSL and (probably) basic authentication (as forms
authentication cannot be used for web services).

How can I achieve this? Is it possible to have different
authentication modes within the same application? From what I've read
it is not - so how can I host this web service in the asp.net app and
still provide some kind of authentication for it?

I also considered simply creating a remoting object rather than a web
service. Might this be a better option? I presume that I can host
this in the secure folder (or a sub-folder off that) and it can have
its own authentication mode?

Also, I know how forms authentication works by sending a ticket in an
encrypted cookie but how does a web service deal with this? Can it be
done in the same way? - how? To make it truly stateless, would I be
better to require that the credentials be sent with each request?
(safe enough with SSL but is it necessary?).

How easy is it to call a web service or a remoting object that uses
SOAP from non-ms.net platforms? (This will be required by the web
service consumers)

Thanks for any help

Ian

[Ian B]

I'd really appreciate some pointers on web services etc. I'm a VB6
developer with a growing knowledge of vb.net and asp.net but I'm in
need of some direction!

Firstly, sorry about the X-posting but I've kept it to a minimum (2
groups).

I have a asp.net web application that uses a combination of SSL (for
anything in the secure folder) and forms authentication (for certain
pages in that secure folder). This has been developed using VS.Net
2003.

I now want to add a web service to the application. This web service
will require SSL and (probably) basic authentication (as forms
authentication cannot be used for web services).

How can I achieve this? Is it possible to have different
authentication modes within the same application? From what I've read
it is not - so how can I host this web service in the asp.net app and
still provide some kind of authentication for it?

I also considered simply creating a remoting object rather than a web
service. Might this be a better option? I presume that I can host
this in the secure folder (or a sub-folder off that) and it can have
its own authentication mode?

Also, I know how forms authentication works by sending a ticket in an
encrypted cookie but how does a web service deal with this? Can it be
done in the same way? - how? To make it truly stateless, would I be
better to require that the credentials be sent with each request?
(safe enough with SSL but is it necessary?).

How easy is it to call a web service or a remoting object that uses
SOAP from non-ms.net platforms? (This will be required by the web
service consumers)

Thanks for any help

Ian

[Michael Pearson]

What I've got to handle authentication is put it in the web method. The
first two parameters to all of my webmethods are UserName and Password.
Inside the webmethod I determine if the user is allowed to execute that
method.

I put all of my webservices in a subfolder off of my domain like

[url]http://www.mydomain.com/webservices/webservicename.asmx[/url]

HTH!

Michael

"Ian B" <i_best@hotmail.com> wrote in message
news:69c58cd1.0309181104.415a4f36@posting.google.c om...

> I'd really appreciate some pointers on web services etc. I'm a VB6
> developer with a growing knowledge of vb.net and asp.net but I'm in
> need of some direction!
>
> Firstly, sorry about the X-posting but I've kept it to a minimum (2
> groups).
>
> I have a asp.net web application that uses a combination of SSL (for
> anything in the secure folder) and forms authentication (for certain
> pages in that secure folder). This has been developed using VS.Net
> 2003.
>
> I now want to add a web service to the application. This web service
> will require SSL and (probably) basic authentication (as forms
> authentication cannot be used for web services).
>
> How can I achieve this? Is it possible to have different
> authentication modes within the same application? From what I've read
> it is not - so how can I host this web service in the asp.net app and
> still provide some kind of authentication for it?
>
> I also considered simply creating a remoting object rather than a web
> service. Might this be a better option? I presume that I can host
> this in the secure folder (or a sub-folder off that) and it can have
> its own authentication mode?
>
> Also, I know how forms authentication works by sending a ticket in an
> encrypted cookie but how does a web service deal with this? Can it be
> done in the same way? - how? To make it truly stateless, would I be
> better to require that the credentials be sent with each request?
> (safe enough with SSL but is it necessary?).
>
> How easy is it to call a web service or a remoting object that uses
> SOAP from non-ms.net platforms? (This will be required by the web
> service consumers)
>
> Thanks for any help
>
> Ian

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system ([url]http://www.grisoft.com[/url]).
Version: 6.0.518 / Virus Database: 316 - Release Date: 9/11/2003

[Michael Pearson]

What I've got to handle authentication is put it in the web method. The
first two parameters to all of my webmethods are UserName and Password.
Inside the webmethod I determine if the user is allowed to execute that
method.

I put all of my webservices in a subfolder off of my domain like

[url]http://www.mydomain.com/webservices/webservicename.asmx[/url]

HTH!

Michael

"Ian B" <i_best@hotmail.com> wrote in message
news:69c58cd1.0309181104.415a4f36@posting.google.c om...

> I'd really appreciate some pointers on web services etc. I'm a VB6
> developer with a growing knowledge of vb.net and asp.net but I'm in
> need of some direction!
>
> Firstly, sorry about the X-posting but I've kept it to a minimum (2
> groups).
>
> I have a asp.net web application that uses a combination of SSL (for
> anything in the secure folder) and forms authentication (for certain
> pages in that secure folder). This has been developed using VS.Net
> 2003.
>
> I now want to add a web service to the application. This web service
> will require SSL and (probably) basic authentication (as forms
> authentication cannot be used for web services).
>
> How can I achieve this? Is it possible to have different
> authentication modes within the same application? From what I've read
> it is not - so how can I host this web service in the asp.net app and
> still provide some kind of authentication for it?
>
> I also considered simply creating a remoting object rather than a web
> service. Might this be a better option? I presume that I can host
> this in the secure folder (or a sub-folder off that) and it can have
> its own authentication mode?
>
> Also, I know how forms authentication works by sending a ticket in an
> encrypted cookie but how does a web service deal with this? Can it be
> done in the same way? - how? To make it truly stateless, would I be
> better to require that the credentials be sent with each request?
> (safe enough with SSL but is it necessary?).
>
> How easy is it to call a web service or a remoting object that uses
> SOAP from non-ms.net platforms? (This will be required by the web
> service consumers)
>
> Thanks for any help
>
> Ian

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system ([url]http://www.grisoft.com[/url]).
Version: 6.0.518 / Virus Database: 316 - Release Date: 9/11/2003

[CSharpTooth]

You should make the best use of the SOAP spec when designing the security of
your web service. Here is a great article for a starting
point on authentication and authorization in .NET:

[url]http://archive.devx.com/security/articles/ps0602/ps0602.asp[/url]

As far as remoting vs web services, a good rule of thumb is to use remoting
if the web services (or service) is to be used internally (Intranet or
Secured LAN) and use Web Services if there is the possibility of outside
access. Web Services add the additional overhead of SOAP and HTTP. Here
are a few good articles to get you started on that:

[url]http://www.developer.com/net/net/article.php/2201701[/url]
[url]http://builder.com.com/5100-6389_14-5034970.html[/url]

We are currently developing a large SSO project and evaluated Remoting vs.
Web Services and we chose Web Services due to outside access, ease of
deployment, and platform interoperability.



"Ian B" <i_best@hotmail.com> wrote in message
news:69c58cd1.0309181104.415a4f36@posting.google.c om...

> I'd really appreciate some pointers on web services etc. I'm a VB6
> developer with a growing knowledge of vb.net and asp.net but I'm in
> need of some direction!
>
> Firstly, sorry about the X-posting but I've kept it to a minimum (2
> groups).
>
> I have a asp.net web application that uses a combination of SSL (for
> anything in the secure folder) and forms authentication (for certain
> pages in that secure folder). This has been developed using VS.Net
> 2003.
>
> I now want to add a web service to the application. This web service
> will require SSL and (probably) basic authentication (as forms
> authentication cannot be used for web services).
>
> How can I achieve this? Is it possible to have different
> authentication modes within the same application? From what I've read
> it is not - so how can I host this web service in the asp.net app and
> still provide some kind of authentication for it?
>
> I also considered simply creating a remoting object rather than a web
> service. Might this be a better option? I presume that I can host
> this in the secure folder (or a sub-folder off that) and it can have
> its own authentication mode?
>
> Also, I know how forms authentication works by sending a ticket in an
> encrypted cookie but how does a web service deal with this? Can it be
> done in the same way? - how? To make it truly stateless, would I be
> better to require that the credentials be sent with each request?
> (safe enough with SSL but is it necessary?).
>
> How easy is it to call a web service or a remoting object that uses
> SOAP from non-ms.net platforms? (This will be required by the web
> service consumers)
>
> Thanks for any help
>
> Ian

[CSharpTooth]

You should make the best use of the SOAP spec when designing the security of
your web service. Here is a great article for a starting
point on authentication and authorization in .NET:

[url]http://archive.devx.com/security/articles/ps0602/ps0602.asp[/url]

As far as remoting vs web services, a good rule of thumb is to use remoting
if the web services (or service) is to be used internally (Intranet or
Secured LAN) and use Web Services if there is the possibility of outside
access. Web Services add the additional overhead of SOAP and HTTP. Here
are a few good articles to get you started on that:

[url]http://www.developer.com/net/net/article.php/2201701[/url]
[url]http://builder.com.com/5100-6389_14-5034970.html[/url]

We are currently developing a large SSO project and evaluated Remoting vs.
Web Services and we chose Web Services due to outside access, ease of
deployment, and platform interoperability.



"Ian B" <i_best@hotmail.com> wrote in message
news:69c58cd1.0309181104.415a4f36@posting.google.c om...

> I'd really appreciate some pointers on web services etc. I'm a VB6
> developer with a growing knowledge of vb.net and asp.net but I'm in
> need of some direction!
>
> Firstly, sorry about the X-posting but I've kept it to a minimum (2
> groups).
>
> I have a asp.net web application that uses a combination of SSL (for
> anything in the secure folder) and forms authentication (for certain
> pages in that secure folder). This has been developed using VS.Net
> 2003.
>
> I now want to add a web service to the application. This web service
> will require SSL and (probably) basic authentication (as forms
> authentication cannot be used for web services).
>
> How can I achieve this? Is it possible to have different
> authentication modes within the same application? From what I've read
> it is not - so how can I host this web service in the asp.net app and
> still provide some kind of authentication for it?
>
> I also considered simply creating a remoting object rather than a web
> service. Might this be a better option? I presume that I can host
> this in the secure folder (or a sub-folder off that) and it can have
> its own authentication mode?
>
> Also, I know how forms authentication works by sending a ticket in an
> encrypted cookie but how does a web service deal with this? Can it be
> done in the same way? - how? To make it truly stateless, would I be
> better to require that the credentials be sent with each request?
> (safe enough with SSL but is it necessary?).
>
> How easy is it to call a web service or a remoting object that uses
> SOAP from non-ms.net platforms? (This will be required by the web
> service consumers)
>
> Thanks for any help
>
> Ian