Authorization

Web Service Endpoint Authorization

If your Web service is configured for Integrated Windows authentication you can configure NTFS permissions on your Web service (.asmx) files to control access, based on the security context of the original caller. This authorization is performed by the ASP.NET FileAuthorizationModule and impersonation is not required.

Regardless of the authentication type, you can use the ASP.NET UrlAuthorizationModule to control access to Web service (.asmx) files. You configure this by adding <allow> and <deny> elements to the <authorization> element in Machine.config or Web.config.

For more information about both forms of authorization, see the" Authorization" section in Chapter 19, "Securing Your ASP.NET Application and Web Services."

Web Method Authorization

You can use declarative principal permission demands to control access to individual Web methods based on the identity or role membership of the caller. The caller's identity and role membership is maintained by the principal object associated with the current Web request (accessed through HttpContext. User .)

 [PrincipalPermission(SecurityAction.Demand, Role=@"Manager")] [WebMethod] public string QueryEmployeeDetails(string empID) { } 

For more information about principal permission demands, see the "Authorization" section in Chapter 10, "Building Secure ASP.NET Pages and Controls."

Programmatic Authorization

You can use imperative permission checks or explicit role checks by calling IPrincipal.IsInRole inside your Web methods for fine-grained authorization logic as follows .

 // This assumes non-Windows authentication. With Windows authentication // cast the User object to a WindowsPrincipal and use Windows groups as // role names GenericPrincipal user = User as GenericPrincipal; if (null != user) {   if ( user.IsInRole(@"Manager") )   {     // User is authorized to perform manager functionality   } }