Chapter 8: Authenticating Users within .NET Services

Depending on the processing your web services perform, there will be times when you will want to restrict access to your web services to specific users. In this chapter, you will learn ways to authenticate the users who connect to a web service. By authenticating users in this way, you can better protect a service’s data or you might restrict the service to only those users who have paid a license fee to use it.

Authentication is the process of establishing that a remote user is actually who he or she claims to be. In our daily lives, we use drivers’ licenses and birth certificates to authenticate our identities. Across the Web, we can use usernames and passwords or digital certificates to confirm our identities. This chapter examines the various authentication techniques. (You will learn how to encrypt the messages a web service exchanges with a client program to further increase your site’s security in Chapter 9, “Securing Communication between a Web Service and Client.”)

Allowing and Controlling Anonymous Access

Across the Web, most sites do not require user authentication. Instead, users are free to access the sites and to use the services the sites offer. Programmers and website administrators refer to users who visit such sites as anonymous users. As it turns out, the same is true for most web services. By default, when you create a .NET web service, the service will initially support anonymous access. As you will learn, you can change a service’s level of authentication using the Internet Information Services (IIS).

The web service in Listing 8.1, ShowUser, returns information about the user who is accessing the service. The service provides three methods programs you can use to retrieve authentication information:

string username() boolean IsAuthenticated() string AuthenticationType()

Listing 8.1 ShowUser.asmx.vb

<WebMethod()> Public Function Username() As String    Dim Name As String    Name = Context.User.Identity.Name    If (Name = "") Then      Username = "Anonymous"    Else      Username = Name    End If End Function <WebMethod()> Public Function IsAuthenticated() As Boolean    IsAuthenticated = Context.User.Identity.IsAuthenticated End Function <WebMethod()> Public Function AuthenticationType() As String    Dim Type As String    Type = Context.User.Identity.AuthenticationType    If (Type = "") Then      AuthenticationType = "Anonymous"    Else      AuthenticationType = Type    End If End Function

To create the ShowUser web service, perform these steps:

1. Within Visual Studio .NET, select the File menu New Project option. Visual Studio .NET will display the New Project dialog box.

2. Within the New Project dialog box Project Types list, click Visual Basic Projects. Then, within the Templates field, click ASP.NET Web Service. Finally, within the Location field, specify the folder within which you want to store the program and the program name ShowUser. Select OK. Visual Studio .NET will display a page onto which you can drag and drop the service’s components.

3. Select the View menu Code option. Visual Studio .NET will display the program’s source code. Within the source code add the program statements in Listing 8.1.

Each of these methods uses the Content object to retrieve specifics about the current user. Using your browser, you can test the web service, as shown in Figure 8.1. Because the service begins with anonymous access, the methods will return the results shown.

Figure 8.1: Displaying authentication information returned from a web service

Within the Windows environment, every user who uses a web-based resource, such as an HTML file or an active server page, must correspond to a user who is authorized to log into the server—in other words, to a user account on the server. As shown in Figure 8.2, Internet Information Services (IIS) lets you map anonymous users to a specific user account on an application basis.

Figure 8.2: Windows 2000 requires that IIS maps anonymous users to a valid user account.

Because each anonymous user maps to a specific account, you can take advantage of Windows access control lists (ACLs) to control the folders and files an anonymous user can access. To map an application’s anonymous users to a specific account, perform these steps:

1. Select Start menu Settings option and choose Control Panel. Windows will open the Control Panel.

2. Within the Control Panel, double-click the Administrative Tools icon. Windows will open the Administrative Tools window.

3. Within the Administrative Tools window, double-click the Internet Services Manager icon. Windows will open the Internet Services Manager window.

4. Within the Internet Services Manager window, click the plus sign that precedes the server and then expand the web server to locate the application’s folder. Right-click the folder and choose Properties. Windows will display the folder’s Properties dialog box.

5. Within the Properties dialog box, select the Directory Security tab. Windows will display the Directory Security sheet. Click the Edit button. Windows will display the Authentication Modes dialog box, shown in Figure 8.3.

   
   Figure 8.3: Using the Authentication Modes dialog box to map anonymous users to a specific Windows account

6. Within the Authentication Modes dialog box, click Edit. Windows will display the Anonymous User Account dialog box within which you can specify the user account to which you want IIS to map anonymous users.