Hey guys and girls!

I am trying to come up with an idea to how user handling at a web service can be done. No ideas seem to appear...

The problem is as follows. I have a web service which should give access to specific web methods for some users, and to other methods for other users. Different users can have different roles. But I don't know how to go about this.

Is there a secure way to retrieve and pass username and password to the web service? Or is this a bad idea?

At the web service I have made a configuration file, which specifies the users together with information about their role. But don't know where to go from here.

Should I pass the user information for each web request or is there a way to have a session or like through web services?

Thanks, Jacob.

Ups, I guess I posted it in the wrong forum, sorry. I am doing the implementation in C# ;)

__________________
Danish audio books for download at http://www.lytenbog.dk (Danske lydbøger til download).

I think the username and password should only be passed once using the public private key pair in combination with a an encryption when for sharing the public key for the first time. Or you can use SSL if thats possible.
Once the user is authenticated you should simulate what cookies do. that is pass a token associated for each authenticated client as one of the arguments in each method call. This approach calls for a little extra programming effort but sould serve the purpose.

That was kind of a quick response, but I would more than like it if you wanna discuss it further.



Regards
Ankur Verma

Alright, thank you for answering. I also posted this one after I got a little smarter about the authentication/authorization dilemma.

http://p2p.wrox.com/topic.asp?TOPIC_ID=32962

Previously, I have never dealt with authentication/authorization related to web services, so do not know how it works. Moreover, I would like it to work with Mono as you can see in the above thread.

By passing a token for each method call can't fake users just do brute force attacks faking the token? Try different tokens, or im I way off? Web services are pretty much to be considered stateless unless sessions are used, and that is what you mean when you mention cookies right?

As I described in the above link I found some stuff about passing the user credentials in the header and I later found this article...

http://archive.devx.com/security/art...602/ps0602.asp

... which I have thought about. However, I have a time limit on my project. Deadline on August 1st, why I probably will not get time for implementation. Will perhaps try the SOAP header solution in the above article later.

Jacob.

The SOAP header solution coupled with a good encryption scheme works real well.

You are right in thinking that someone can hack a plain text SOAP header solution. It's really not even a hack. If they get hold of the header it's plain as day. If however you encrypt the credeitals as you pass them over the wire you have a better shot at staying safe.

Thanks dewalt, I think I will look into this solution then. I like the fact that you do not have to have additional parameters for the web method etc.

Unfortunately, I am totally blank when it comes to the encryption using C#, but I think the SOAP header solution implemented at the link I posted have some code I can look in.

As mentioned, I am trying to make the framework run on both Windows and Linux (with Mono), but without an understanding of how the authentication is done this is difficult. It would be nice if authentication came out-of-the-box, and I could authorize myself based on the User.Credentials.Name.

Perhaps if I knew how to enable Basic authentication between the consumer and the web service, that I could make it work. The authentication mode in the web.config file says Windows, but I guess that I have to set it up on the web server running the service on the Linux box, right?

Added after the above; I guess that Basic is only for Windows too. I have to do a custom solution.

Jacob.