Hello,
Sorry for the repost, I haven’t got any response in aspnet.webservices group.
We have a web service being used by several clients. It's SSL secured, uses
Windows (Basic) Authentication, each client has its own login. The management
wants to expend it to other clients, but provide "subscription based"
service. Where one pays a monthly fee to use it.
Now, I suggested using existing infrastructure Basic Authentication, just
disable Windows account when subscription expires. But management wants as
little administration as possible. Sure, I can create a user table in db, but
would not it be as much admin? Someone would still have to sign clients up
and enter new user names into database through some admin app or other wise.
If anyone had any experiences implementing Subscription based web service I
would like to hear your comments.
Thank you 6 2321
Actually, using a table would be less administration. In the table that
contains the credentials:
e.g.
UserName (plain text string)
Password (sha1 hash hexcode string)
SubscriptionLastUpdated (datetime)
[other columns...]
As users pay for new/updated subscriptions, the SubscriptionLastUpdated
would automatically get repopulated with a current timestamp. Then on access
to the web service, you would query that table to see if that particular
user's SubscriptionLastUpdated value is more than 30 days ago... if so, you
would not allow access. This would be much easier than having to have
employees go in and scan through everyone's subscription records looking for
outdated subscriptions on a regular basis, and then going in and disabling
accounts using Computer Management or whatever interface is supplied to them.
"WebMatrix" wrote: Hello,
Sorry for the repost, I haven’t got any response in aspnet.webservices group.
We have a web service being used by several clients. It's SSL secured, uses Windows (Basic) Authentication, each client has its own login. The management wants to expend it to other clients, but provide "subscription based" service. Where one pays a monthly fee to use it. Now, I suggested using existing infrastructure Basic Authentication, just disable Windows account when subscription expires. But management wants as little administration as possible. Sure, I can create a user table in db, but would not it be as much admin? Someone would still have to sign clients up and enter new user names into database through some admin app or other wise. If anyone had any experiences implementing Subscription based web service I would like to hear your comments.
Thank you
Right, that makes sense.
But one would still have to add a new user to a table, perhaps through some
kind of admin tool. Enrollment will not be 100% automatic anyway.
Add/remove Windows user can also be done programaticlly though Admin tool.
But what you suggested does make sense. We need to store subscription info
somewhere anyway, database seems to be the right place. So might as well
store user name/passwords and expiration dates.
Thanks.
"Nate" wrote: Actually, using a table would be less administration. In the table that contains the credentials:
e.g. UserName (plain text string) Password (sha1 hash hexcode string) SubscriptionLastUpdated (datetime) [other columns...]
As users pay for new/updated subscriptions, the SubscriptionLastUpdated would automatically get repopulated with a current timestamp. Then on access to the web service, you would query that table to see if that particular user's SubscriptionLastUpdated value is more than 30 days ago... if so, you would not allow access. This would be much easier than having to have employees go in and scan through everyone's subscription records looking for outdated subscriptions on a regular basis, and then going in and disabling accounts using Computer Management or whatever interface is supplied to them.
"WebMatrix" wrote:
Hello,
Sorry for the repost, I haven’t got any response in aspnet.webservices group.
We have a web service being used by several clients. It's SSL secured, uses Windows (Basic) Authentication, each client has its own login. The management wants to expend it to other clients, but provide "subscription based" service. Where one pays a monthly fee to use it. Now, I suggested using existing infrastructure Basic Authentication, just disable Windows account when subscription expires. But management wants as little administration as possible. Sure, I can create a user table in db, but would not it be as much admin? Someone would still have to sign clients up and enter new user names into database through some admin app or other wise. If anyone had any experiences implementing Subscription based web service I would like to hear your comments.
Thank you
I have a quesiton following on to this...
If I had a user table based authentication, how could I make the web
service remember that someone is authenticated? Does session work the
same as it does for ASP.NET ? (I am guessing it does).
So the process would be for my client app to:
A) Call a Login method of the webservice, passing a username/pass and
getting a bool response.
B) If bool is true, then follow up with other calls.
Previously I had the username and password passed with EVERY method,
checking authentication on every query.
Example, get a list of outstanding messages, would call 'GetInbox'
method by passing a user name and password, but with the above process
I could store the userID in session right? Then my 'GetInbox' method
wouldn't need any parameters at all.
How then could I deal with session expiring and so on? Call some sort
of keep alive method as well? That method wouldn't even need any code
in it right? The simple fact that my client app has called the service
has renewed its session lease (or whatever the terminology is).
Is there any security issues relating to this form of authentication?
Many thanks,
Steven Nagy
Hi Steven Previously I had the username and password passed with EVERY method, checking authentication on every query.
Do you send it as an argument to the web service?
If yes, I would suggest letting the security framework handle this for
you. Autentification info is then stored in the SOAP headers and is
invisible in the web service API.
If no, sorry...
At least I think so, but if you use frameworks as WSE or WCF (Indigo)
you can let the security subsystems of these framework handle
authentification. I think they implement some sort of "recogniztion" of
an already authenticated user on the serverside. Client side you assign
a "UserNameToken" to the request an it is this token that gets
authenticated.
Maybe some guys (or gals) can shed some light on this..maybe in another
group..?
Regards
Henrik
Wouldn't ASP.NET 2.0 Membership, Roles and Profiles be ideally suited for
this objective?
<%= Clinton Gallagher
METROmilwaukee (sm) "A Regional Information Service"
NET csgallagher AT metromilwaukee.com
URL http://metromilwaukee.com/
URL http://clintongallagher.metromilwaukee.com/
"Henrik Gøttig" <hg@websolver.dk> wrote in message
news:u3**************@TK2MSFTNGP12.phx.gbl... Hi Steven
Previously I had the username and password passed with EVERY method, checking authentication on every query.
Do you send it as an argument to the web service? If yes, I would suggest letting the security framework handle this for you. Autentification info is then stored in the SOAP headers and is invisible in the web service API. If no, sorry...
At least I think so, but if you use frameworks as WSE or WCF (Indigo) you can let the security subsystems of these framework handle authentification. I think they implement some sort of "recogniztion" of an already authenticated user on the serverside. Client side you assign a "UserNameToken" to the request an it is this token that gets authenticated. Maybe some guys (or gals) can shed some light on this..maybe in another group..?
Regards
Henrik
"Steven Nagy" wrote: I have a quesiton following on to this...
Previously I had the username and password passed with EVERY method, checking authentication on every query. Example, get a list of outstanding messages,
That's somehting I was just thinking about. I think that's the way I am
going to go; authentication with each request. That's just a nature of this
app. It's a windows client, user fetch chunks of data and work with it, there
can be 10 - 1hr time difference between each call and then user decides to
take a lunch break or leaves his/her machine on over the weekend with the
client running. I dont think it makes sense to keep session alive that long.
But to answer your question Session is very much part of Web Service .NET
application. Though clients must be able to accept cookies, from what I
understand. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Max A. Bündchen |
last post by:
My enterprise is a Registered Microsoft Partner and we would to acquire a
MSDN Universal subscription under the Empower ISV Program to start a new
project in .Net (today we dev under VFP 7).
...
|
by: WebMatrix |
last post by:
Hello,
Sorry for the repost, I haven’t got any response in aspnet.webservices group.
We have a web service being used by several clients. It's SSL secured, uses
Windows (Basic)...
|
by: oldVB3r |
last post by:
I would like to create a set of web services that share a common set of types
(classes, structures, enums). I know I can create a VS 2005 web service based
on the Interface statement to contain...
|
by: Joseph Geretz |
last post by:
I have the following class which I am serializing and passing back and forth
between my Web Service application and the client.
public class Token : SoapHeader
{
public string SID;
public...
|
by: Steve |
last post by:
Can anyone point me to a link for sample code for building a subscription
service web site using asp.net 2 and vb 2005?
Thanks
Steve
|
by: erbilkonuk |
last post by:
Hi,
I am very new to .NET Remoting and I try to run a simple program to
subscribe to an event raised by Remoting Class. The Remoting Server
initiates an instance of Remoting Class as Singleton /...
|
by: Steve Arndt |
last post by:
Can someone point me to sample code for building subscription services
(where someone pays either up front for a number of uses, or per use) in
vb.net/asp.net? I want to convert a client-based...
|
by: 9jaman |
last post by:
Can anyone help me find a solution to this problem.I need a desktop-based software or system for news alert service.I want to start a news alert subscription service based on recharge cards.
The...
|
by: =?Utf-8?B?SmFzb24gQS4gSmVuc2Vu?= |
last post by:
I have a MSDN Subscription expiring this month but really need Visual Studio
2008 when it comes out. I called customer service to find out but they don't
know. They seemed to think it was a...
|
by: DolphinDB |
last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation.
Take...
|
by: DolphinDB |
last post by:
Tired of spending countless mintues downsampling your data? Look no further!
In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: Vimpel783 |
last post by:
Hello!
Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
|
by: PapaRatzi |
last post by:
Hello,
I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
|
by: Defcon1945 |
last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
|
by: Shællîpôpï 09 |
last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
|
by: af34tf |
last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
| |