Authentication for Web Services

To look at this from the highest level, there are basically two ways to use authentication with an XML Web service created using ASP.NET; you can use what is offered within .NET or you can create custom SOAP-based security. The latter may be necessary when integrating Web services with other products that offer "Web services" such as webMethods or IBM MQSeries. Outside of .NET, there is use of firewalls, IP restrictions lists, and so forth. that can help control just who or what gets to use your Web service. For example, you may wish to establish B2B transactions with another company. Since this is a one-to-one relationship, you could establish a VPN connection between the offices and allow them access to your Web service.

ASP.NET also provides access to remote objects, or Remoting . One key difference is that when using Web services, you can rely on the HTTP protocol for how to get connected. The authentication options available are those made available through Internet Information Services (IIS); Basic, Digest, Integrated Windows, and Client Certificates. For most cases, using Basic authentication over SSL will suffice. Authentication within ASP.NET is discussed in more detail in Chapter 14, "Authentication: Know Who Is Accessing Your Site." With remoting on ASP.NET, you are using an HTTPChannel or TCPChannel class. The authentication process is then handled directly in your code, if it is needed at all.

As you will find as you read this book, the methods for protecting a Web page are quite the same as those for protecting a Web service. With both, you are able to collect credential information and use it accordingly in your application. Authorization in Web services is also implanted. Details on using ASP.NET authorization can be found in Chapter 15.