Controlling which WebMethods get exposed externally in a WebService

Question

I couldn't think of a decent title, so let me first apologize for that.

I have a WebService (call it A) written for my app so I can take advantage of ASP.NET 3.5 AJAX features. I use the generated JavaScript proxy to make AJAX calls.

As a side effect, WebService A is exposed for anyone to add as a reference to another project, which is great, except I don't want certain WebMethods to be available to external applications (in the same domain, BTW).

So I've got two questions:

• Is there a way to control the exposure of WebMethods in WebService A?

If there isn't, I'm thinking I'll just add a separate WebService (B) that exposes the WebMethods I need from WebService A. But then,

• How can I prevent other applications from referencing WebService A while still allowing the application it originates in to access it?

If that's not possible, I'm not really worried about it. The apps are all intranet-only, I just don't want the WebServices to be abused.

Also, there is a similar question here already without any good anwers. The asker describes almost the same situation I'm in: ASP.NET WebService deny remote access

Answer 1

I use a standard web service with forms authentication as follows:

    ' ************************************
    ' **** Example with Windows Forms ****
    ' ************************************
    ' Taken from http://www.dotnetbips.com/articles/dbd724e9-78f0-4a05-adfb-190d151103b2.aspx
    ' **** Login *************************
    '   Dim x As New localhost.Service1()
    '   Dim cc As New CookieContainer()
    '   Dim sessioncookie As Cookie
    '   Dim cookiecoll As New CookieCollection()

    '   x.CookieContainer = cc
    '   x.Login("user1", "password1")
    '   cookiecoll = x.CookieContainer.GetCookies
    '   (New Uri("http://localhost"))
    '   Session("sessioncookie") = cookiecoll("CookieName")
    ' **** Logout ************************
    '   Dim x As New localhost.Service1()
    '   Dim cc As New System.Net.CookieContainer()
    '   Dim sessioncookie As New System.Net.Cookie()
    '   x.CookieContainer = cc
    '   sessioncookie = CType(Session("sessioncookie"), 
    '   System.Net.Cookie)
    '   If Not sessioncookie Is Nothing Then
    '   '   x.CookieContainer.Add(sessioncookie)
    '   End If
    '   x.Logout()
    '   Session.Remove("sessioncookie")
    ' ************************************

    <WebMethod()> _
    Public Function Login(ByVal UserName As String, ByVal Password As String) As Boolean
        If UserName.Length > 0 And Password.Length > 0 Then
            If FormsAuthentication.Authenticate(UserName, Password) Then
                FormsAuthentication.SetAuthCookie(UserName, False)
                Return True
            End If
        Else
            Return False
        End If
    End Function

    Public Sub ValidateAuthentication()
        If Context.User.Identity.IsAuthenticated = False Then
            Throw New System.UnauthorizedAccessException("User is not authenticated.")
        End If
    End Sub

    <WebMethod()> _
    Public Sub Logout()
        If Context.User.Identity.IsAuthenticated = True Then
            FormsAuthentication.SignOut()
        End If
    End Sub

Answer 2

You could us a custom SOAP header in the service to require credentials to be passed to the methods you wanted to protect. This would still "expose" the methods but they would be inaccessible. Application X would be allowed to access all of the methods because it would be designed to use the appropriate security header, but application Y would be denied access (though it would be able to make use of any public types/enums, etc).

http://msdn.microsoft.com/en-us/library/ms819938.aspx

Answer 3

To create that public/private webservices, you can to place your .asmx into another folder, create a new web.config file and to define your your authorized users inside a <authorization> section.

This document describe this configuration in details: Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication.

Answer 4

I'd create a public webservice and a private one for security purposes.