473,322 Members | 1,405 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Best Practice Security

Hi,

I've build an application based on some Web Services.

Web Services are separated across some asmx files, according the business
service it provides.

In each web service, there are some webmethod that are accessible for all
users, and some others one that requires more rights.

What is the best way to set up the webservices?

I'm using NT authentication, and I'll create some NT groups to create roles
in the app.
Is it the "correct" way ?

How can I allow or deny a specific web method within each asmx files ?

Thanks,
Steve
Jan 25 '06 #1
1 1120
I'd suggest using different asmx files for each level of security required.
You can apply Windows ACLs to restrict access by file.

You can also put each file in its own subdirectory and use Windows security
to restrict access to the subdirectory or you can put a web.config in each
subdirectory with just an Authorization subsection (and appropriate
supersections as required) to limit access using the "Allow" element. All of
the rest of the configuration settings will take the parent (either a higher
level folder with a web.config or the machine.config if no higher level
web.configs exist) level setting and only the permissions will be set for the
subfolders.

As a last resort, if you want to limit access by WebMethod, you'd have to
use impersonation and Windows integrated security on the clients, and use an
IPrinciple.IsInRole method to establish the group membership for the user and
just code the method to throw an exception or do nothing if the user is not
authorized.

--
Dale Preston
MCAD C#
MCSE, MCDBA
"Steve B." wrote:
Hi,

I've build an application based on some Web Services.

Web Services are separated across some asmx files, according the business
service it provides.

In each web service, there are some webmethod that are accessible for all
users, and some others one that requires more rights.

What is the best way to set up the webservices?

I'm using NT authentication, and I'll create some NT groups to create roles
in the app.
Is it the "correct" way ?

How can I allow or deny a specific web method within each asmx files ?

Thanks,
Steve

Jan 26 '06 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
by: DrUg13 | last post by:
In java, this seems so easy. You need a new object Object test = new Object() gives me exactly what I want. could someone please help me understand the different ways to do the same thing in...
136
by: Matt Kruse | last post by:
http://www.JavascriptToolbox.com/bestpractices/ I started writing this up as a guide for some people who were looking for general tips on how to do things the 'right way' with Javascript. Their...
1
by: Vincent V | last post by:
Hey i am just starting a new project and from the start i want to make sure my app is as Object Orientated as possible I have a couple of questions in relation to this Question 1: Should i...
20
by: Keith G. Murphy | last post by:
I'm trying to get a feel for what most people are doing or consider best practice. Given a mod_perl application talking to a PostgreSQL database on the same host, where different users are...
10
by: Mike Logan | last post by:
I am using the "contract first" design methodology. Contract First is design the WSDL first then design the server and client. However I must design my XSD/XML Schema before anything. I am...
1
by: MichaelG | last post by:
I have a web service that talks to SQL Server 2005. At present the WS uses an SQL Server login and password to connect. Is this best practice or should I be running the WS under a domain account...
4
by: Ned Balzer | last post by:
Hi all, I am pretty new to asp.net; I've done lots of classic asp, but am just beginning to get my mind wrapped around .net. What I'd like to do is include some code that tests if a user is...
10
by: tshad | last post by:
I am trying to find the best procedure for storing keys used for encryption. This would also be a question for the connection string to the database. At the moment, this is kept in the web.info...
4
by: =?Utf-8?B?Sm9l?= | last post by:
I am working on a web app that required authentication to AD. The authentication is working fine the way I am doing it, but was wondering what the best practice is. My code doesn't actually...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.