There are lots of ways to accomplish this; which one is best depends on your precise scenario and things like how important it is to avoid vulnerabilities like replay attacks and spoofing, the cost/benefit of SSL, etc.
One simple technique, for example, you could use some kind of session key as the response to the authentication method call from client to server. The key, which indirectly maps back to some table that stores the identity of the authenticated user, is then stored on the client, and you require that a valid session key be part of every method call to the web service from the client. The web service then uses the session key to determine who is making the call and authorize them appropriately, connect to the right db in your case, etc. The key expires periodically and is not just an incrementing integer or something. You could transmit such a key to the WS from client in the soap header or as an extra parameter in each method sig. There is an MSDN sample that shows/explains such a method, I think perhaps it was cold storage or something like that. Make sure authentication method is over SSL and this is a relatively secure approach, though vulnerable if you can sniff the calls to the WS, obviously. Unless it is all over ssl or you get even fancier and more complex about your method calls. Brian -----Original Message----- From: Moderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED]] On Behalf Of franklin gray Sent: Thursday, May 23, 2002 12:02 PM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] Help Architecting A Middle Tier "you _do_ require them to authenticate, right?" Actually, shamefully to admit, no. I am unfamiliar with authentication methods other then the basic application login where I store a hashed PW in the DB and verify two hashed values and go from there. I started to read up on it and am getting a little lost. How would you suggest that I authenticate that the web service call is from a client who has already logged into the application and is requesting data (by Web service calls) to populate the forms? I read that there is passport authentication but I don't want to require my users to have a passport. Any easy DotNet ways of doing this? You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
