stackoom
  简体   繁体   中英

How to authenticate a Windows Mobile client calling web services in a Web App

 原文  2010-03-21 01:41:27       asp.net/ web-services/ security/ windows-mobile/ forms-authentication

Question

I have a fairly complex business application written in ASP.NET that is deployed on a hosted server. The site uses Forms Authentication, and there are about a dozen different roles defined. Employees and customers are both users of the application.

Now I have the requirement to develop a Windows Mobile client for the application that allows a very specialized set of tasks to be performed from a device, as opposed to a browser on a laptop. The client wants to increase productivity with this measure. Only employees will use this application.

I feel that it would make sense to re-use the security infrastructure that is already in place. The client does not need offline capability.

My thought is to deploy a set of web services to a folder of the existing site that only the new role "web service" has access to, and to use Forms Authentication (from a Windows Mobile 5/.Net 3.5 client).

I did see this question and I am aware of the limitations that Forms Authentication poses. Since security is not my primary motivator (I use SSL and can restrict access by IP address), but rather using existing user accounts and roles, my decision tree is somewhat different as well.

Can I do this, is it a good idea, and are there any code examples/references that you can point me to?

1 answers

solution1
 1 ACCPTED  2010-05-19 20:33:22

I ended up with a combination of things. First, forms authentication does not really work in this scenario, because of the redirects that you get when a users is not logged in or the credentials are incorrect.

Because I want to use the user accounts from the web app, I worked around this by just calling Membership.ValidateUser prior to processing each service call on the server.

A user is prompted for an id and password when logging on to the client. I store both values encrypted in the proxy class and pass them transparently with each call using a host header, so that the application does not have to bother with this once the user is logged in, ie the credentials were validated once by calling the Login() service method (which only calls Membership.ValidateUser).

I use the CryptoApi on both the server and the client side. I understand that host headers are somewhat outdated for security applications, but since I use strong encryption AND SSL, it is perfectly adequate.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to authenticate user in web services How to make a voice calling web app using Nexmo services? Azure Mobile App Services or Web App Services for Mobile Applications and Web Admin Panel Web services consumption and calling Authenticate a web service for mobile applications How does calling web services lead to a deadlock? How to authenticate/Authorize the MVC web app and web api in the same application proxy class not calling web services How to authenticate an asp.net web app to access sql database Web Services + Windows Authentication Questions
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM