Implementing WebService authentication using the ASP.net forms pattern

Asp.net|web

In asp.net programs where security requirements are not very high, forms based authentication is a common way to use, and if you need to authenticate webservice, the most commonly used is the custom authentication method based on the SOAP header. If you compare the two, it is clear that the forms based authentication is more user-friendly, can you apply forms validation to WebService?

In theory, it is possible to authenticate webservice using the forms-based approach, but the following two problems may exist during use:

1. Forms Based authentication is also a cookie based authentication method, which is not a problem for us to consider when using a browser. But for applications that use WebService, the default is not to save cookies, and we need to do the work ourselves.

2.WebService since it is a A2A (application to application) application, it is obviously not appropriate to use Web Forms for authentication, and this will inevitably result in human-computer interaction, which compromises the WebService application.

Next, we'll step through these two issues:

1.Cookie Save Problem

The WebService client proxy class has a property Cookiecontainer can be used to set or get a cookie collection, and the task of saving cookies is given to him:

System.Net.CookieContainer Cookiecontainer = new System.Net.CookieContainer ();
Myservice.webservice service = new App.MyService.WebService ();
Service. Cookiecontainer = Cookiecontainer;

2. We do not want to use Web forms for authentication, fortunately, ASP. NET form validation, the form page (that is, the loginurl within the forms element in the Web.config file) can also be specified as a WebService file.

We create a Web service that is specifically used for authentication, for the moment named Login.asmx, then loginurl equals "login.asmx", and of course, the authorization in Web.config file section to prevent anonymous access (otherwise we will be busy), the completion of the configuration of the Web.config file is as follows:

<?xml version= "1.0" encoding= "Utf-8"?>
<configuration>
<system.web>
<compilation debug= "false"/>
<authentication mode= "Forms" >
<forms name= "MyService" loginurl= "Login.asmx" ></forms>
</authentication>
<authorization >
<deny users= "?" />
</authorization>
</system.web>
</configuration>

In fact, we do not want to let the browser to the login.asmx when not authenticated, the real benefit for the client program using WebService is that you can access the methods in Login.asmx anonymously (of course, we can also put Login.asmx in a separate directory, and then allow the directory Anonymous access to achieve this goal, but I think it is more elegant with loginurl.
Next, we add the WebMethod for Login.asmx for authentication:

[WebMethod]
public bool Check (string username,string password)
{
if (UserName = = "AAAAAA" && password = = "123456")//Add validation logic
{
System.Web.Security.FormsAuthentication.SetAuthCookie (UserName, false);
return true;
}
Else
{
return false;
}
}

The final step is to have the WebService instance in the client program share Cookiecontainer with the login instance.

Class Sample
{
System.Net.CookieContainer Cookiecontainer = new System.Net.CookieContainer ();

public void Login ()
{
Myservicelogin.login Login = new App.MyServiceLogin.Login ();
Login. Cookiecontainer = Cookiecontainer;
Login. Check ("aaaaaa", "123456");
}
public void Showhelloworld ()
{
Myservice.webservice service = new App.MyService.WebService ();
Service. Cookiecontainer = Cookiecontainer;

Console.WriteLine (service. HelloWorld ());
}
}

Login () after Showhelloworld (), do you see the familiar "Hello world"? Ok, that's easy!