In a multi-server environment, users will be able to use a page to put, update or delete files on the servers. I was considering using a webservice (on each server) called by the IIS thread to do that work (with an aspx management page).
However, for obvious reasons, I don’t really want anyone to be able to call that webservice (by POSTing a well-formed request from their machines).
I am wondering what would be the most effective (in terms of complexity, scalability) way to ensure that the access to the webservice is restricted to my page (token? Sending the current user’s Principal? I don’t have access to their password so sending the login/password couple is out of the question)
You should be able to get the user that’s calling the web service by getting the IPrinciple object stored at:
Once you get the current user, you should be able to do your validation on whether or not that user has the permissions to do whatever action they’re attempting to do by either checking if the user is in the proper role, or whatever other means you have set up to check permissions.