Reputation: 141
Access control to web service
This is what I wish to achieve:
My ASP.NET web service is hosted on a server called //service. I want to control access to the web service by server and by application as well. What I mean here is if I have two ASP.NET web applications (app1 and app2) hosted on a server called //web1 and I only want //web1/app1 to be able to call the web service. I know that I can grant access to the IP address of //web1 but that would allow both //web1/app1 and //web1/app2 access to the web service.
I am thinking about using an SSL certificate as I don't want the web application to handle the login/password. on //service, I will grant access to the ip of //web1 and map a client certificate from //web1 to a windows account and this will allow only applications from //web1 to access. But then how do I further control the access to only //web1/app1?
Upvotes: 1
Views: 4007
Answers (2)
Reputation: 2062
Not really.
A certificate secures the transmission between the client and server domain. It doesn't really work to have multiple certificates for multiple subdirectories.
What you'd want to do is to create a login service that returns a token. You then use that token to manage the session on the server side and the client uses it along with every subsequent request to access and execute the available services. (can this token access this webservice? t/f)
You're going to have to give the client access to some sort of credentials. Whether that is a certificate exchange or a user/pass you're going to have to figure out who the client actually is.
Upvotes: 0
Reputation: 16257
You can use standard HTTP Authentication to control which applications have access to your web service.
Credentials are passed in the Authorization header with each request. Every web service client (i.e. //web1/app1) should have its own credentials, so if //web1/app2 tried to connect to the web service without providing recognized credentials, it would be denied access.
I recommend using SSL to encrypt all traffic, so that authentication information and other sensitive data is secure.
Here are a few articles that may be helpful:
- HTTP Security and ASP.NET Web Services (see Authentication section)
- Authentication in ASP.NET Web Services
Good luck!
Upvotes: 2
Related Questions
- HTTP status 403: Forbidden exception using certificate to authenticate ASP.NET web service
- Fundamental of certificate based authentication
- Accessing a web service and a HTTP interface using certificate authentication
- Calling a web service with a certificate
- webservice authentication via SSL
- Creating .NET web service with client certificate authentication
- WCF - Certificate based authorization from a web app
- Connect To Secure WebService
- Accessing Securised Web Service
- Authenticating a Web Service