The UserManager Web Service | Programming .NET Components, 2nd Edition

The solution to the partial-trust problem is to wrap the ASP.NET providers with a web service. When using a web service, none of the security permission demands made by the providers will ever make their way back to the client.

Using a web service also has the advantage of better scalability, since only the web service will be using the connection to the database, rather than each individual client application. Another benefit of a web service is that it avoids potential security issues with clients authenticating themselves against SQL Server and secure connection string management on the client side. There are, however, a few considerations to bear in mind when using a web service:

Privacy: You should secure the communication between the clients and the web service, because the clients will be sending credentials over the wire. This can easily be done using HTTPS.
Additional call latency: This should be resolved using role caching.
Authenticating against the web service itself: This may not be an issue in your Intranet environment if you can sustain anonymous access to the web service.
Authorizing the web service calls: The web service allows callers to retrieve role information about a user. Role-membership information may be sensitive information on its own rightthis can be dealt with by adding role-based security to the web service and authorizing the callers. Note that authorization requires authentication.

Using the technique described in Appendix A, you can expose IUserManager and its implementation as web services, as shown in Example B-6.

Example B-6. Implementing IUserManager by a web service

 [WebServiceBinding (Name = "IUserManager")] public interface IUserManager {    [WebMethod(Description = "Authenticates the user.")]    bool Authenticate(string applicationName,string userName,string password);    [WebMethod(Description = "Verifies user role's membership.")]    bool IsInRole(string applicationName,string userName,string role);    [WebMethod(Description = "Returns all roles the user is a member of.")]    string[] GetRoles(string applicationName,string userName); } [WebService(Namespace = "http://SecurityServices",             Description = "Wraps with a web service the ASP.NET providers.                            This web service should be accessed over https.")] class UserManager : IUserManager {    public bool Authenticate(string applicationName,string userName,string password)    {       if(HttpContext.Current.Request.IsSecureConnection == false)       {          HttpContext.Current.Trace.Warn("You should use HTTPS to avoid                                      sending passwords in clear text");       }       Membership.ApplicationName = applicationName;       return Membership.ValidateUser(userName,password);    }    public bool IsInRole(string applicationName,string userName,string role)    {       Roles.ApplicationName = applicationName;       return Roles.IsUserInRole(userName,role);    }    public string[] GetRoles(string applicationName,string userName)    {       Roles.ApplicationName = applicationName;       return Roles.GetRolesForUser(userName);    } }

The UserManager class in Example B-6 uses both Membership and Roles to obtain the configured providers from the web service configuration file. Note that each web method of UserManager also accepts the application name to use, so that a single web service can support multiple Windows Forms applications.