Home/ Questions/Q 3854148
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T17:34:44+00:00

In this hypothetical scenario there is an ASP.NET 4 web application that simultaneously aggregates

  • 0

In this hypothetical scenario there is an ASP.NET 4 web application that simultaneously aggregates data from multiple web services. The web services are all of the same implementation, but are separate instances and are not aware of each other.

In the web application a user provides credentials for each web service he wants access to, and the authentication process iterates through all of his user name/password combos coupled with the URL for each web service. (The clunky UI is for illustration only….)

Assume the web application uses the ValidateUser method in a custom MembershipProvider class for authentication, and the MembershipProvider is configured in web.config as per usual.

Assume also that the custom MembershipProvider class has a Url property that changes with each authentication call to the different web services.

Assuming all of that, how do you handle the scenario where User 1 and User 2 are authenticating at the same time, but User 1 has access to Web Service A, B, and C, and User 2 has access to Web Service X, Y, and Z?

Will the credentials and URLs potentially get mixed up and User 1 might see User 2’s data and vice-versa?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you are going to implement a custom membership provider you will see lots of headaches down the road. The reason is that in your app model, the authorization scheme is based on whatever membership the user has (for a specific service).

    I would advise to have your own membership (for your own site) and extend the profile model so that you can retrieve credentials for each service that the user has access to straight out of the user’s profile.

    The profile information can be used in conjunction with your own authorization based on your own membership and role providers (specific for your site). In that case you can assign each user a role specific to each service.

    To successfully achieve that, for each service, write a wrapper, encapsulating service calls with your own methods (which call the service). This will allow you to mark your own methods with the [PrincipalPermissison] attribute… and achieve seemless authorization.

    So if your user has access to the Amazon web service and there are credentials for that service stored in his/her profile you can have the following:

    User Role: “AmazonAccessor”

    public AmazonServiceWrapper
{
    [PrincipalPermission(SecurityAction.Demand, Role = "AmazonAccessor")]
    public void DoSomething()
    {
        UserProfile profile = UserProfile.Get();
        ServiceCredential credential = (ServiceCredential)(from c in profile.ServiceCredentials where c.ServiceName = "Amazon" select c).Take(1);

        if( credential == null )
            return;

        AmazonService amazon = new AmazonService();
        amazon.ClientCredentials.UserName.UserName = credential.Username; //coming from profile
        amazon.ClientCredentials.UserName.Password = credential.Password; //coming from profile

        try{
            amazon.DoSomething(); //wrap the amazon call.
        }
        catch(Exception ex)
        {

        }
    }
}

    This will prevent you from having to juggle membership and all sorts of other headaches.

    Now to create your own profile you can do something like this:

    [Serializable]
public class ServiceCredential
{
    public string ServiceName { get; set; }
    public string Username { get; set; }
    public string Password { get; set; }
    public string ServiceUrl { get; set; }
}

public class UserProfile : ProfileBase
{
    public static UserProfile Get(string username)
    {
        return (UserProfile)Create(username);
    }

    public static UserProfile Get()
    {
        return (UserProfile)Create(Membership.GetUser().UserName);
    }

    [SettingsAllowAnonymous(false)]
    public List<ServiceCredential> ServiceCredentials
    {
        get
        {
            try
            {
                return base.GetPropertyValue("ServiceCredentials") as List<ServiceCredential>;
            }
            catch
            {
               return new List<ServiceCredential>();
            }
        }
        set
        {
            base.SetPropertyValue("ServiceCredentials", value);
        }
    }
}

    And of course the Web config:

    <system.Web>
<profile 
   inherits="MyApplication.UserProfile" 
   defaultProvider="AspNetSqlProfileProvider">
   <providers>
      <add 
          name="MyProfileProvider" 
          type="System.Web.Profile.SqlProfileProvider"
          connectionStringName="MyConnectionString"
          applicationName="MyApplication" />
   </providers>
</profile>
<system.Web>
    • 0