I am developping a web application project in Visual Studio 2005 on .NET 2.0 the web application project has obviously secured web pages and web services. I want to secure the web services as well. Currently the authentication mode in the web.config is set to forms and I have created my own membership provider for this purpose.
The target application server is IIS 5.0 which is configured to work over https with a valid certificate so technically speaking all I want is the web services to validate some hard coded string to ensure that the system that call them are known since they manipulate sensitive data. Since its over a secured channel I do not expect to use any fancy encryption for this web service authentication. As a side note, the expected system to use the web services are in Java and not in .NET
What I am really looking for is the best way for me to achieve this within the same solution in visual studio. I do not want the web services to be a separated project. (requirement)
Is the only solution to use flow credentials in the SOAP header ?
Thanks,
Carl T.
You can add a location element to your web.config with an authorization element that allows anonymous users to access the web service, effectively bypassing the forms security for the service. Then you can make your hardcoded string be accepted as just another argument to your methods. See location Element (ASP.NET Settings Schema) for more information.
You mentioned hard-coded strings, so I assumed you were looking to pass it to methods and run sessionless. Give this article a look .NET Web Services Security. The part you’ll be most interested in is on page 3.
Ideally, you should look to update to .NET 3.5 or higher with WCF, but barring that these are your best bets.