We have a few existing web services which require some sort of basic security to prevent unauthorised third parties from making calls against the services.
If possible it would be best to avoid having to change the services at all. Like adding extra parameters to the service methods to pass a token for each call.
One idea (if possible) is to have an IIS module which intercepts all calls to the services and checks the header for a token. When the token is correct it lets the request through or otherwise cancels it. This way third parties only need to pass an extra http header field once we give them their key and we don’t have to change the services at all.
This raises the questions:
Is it even possible to do this with a managed IIS module? (Or unmanaged if necessary). And if so, how hard is it to pass extra header fields when connecting to a web service with WCF or Web References in Visual Studio.
If there are other options i’d like to hear them if they fit my requirements. Thanks.
You can use Basic/Digest/Windows Authentication. You can set this in IIS. It is rather trivial to use. Microsoft has a run-through post on this here. This is easy to setup in Visual Studio.
More in-depth information and step-by-step instructions in this 15 seconds article on securing web services with this method.
Neither of these require you to change the web service itself. But these only offer basic security. Using SSL, as another user suggested, can offer a higher level of security, but requires the web service to run in its own (sub) domain or application.
If you eventually do consider changes your web service and adding authentication to it, consider reading this CodeProject article.