Web service token authentication

Question

0.00/5 (No votes)

See more:

Hi,

Now, I am facing the difficulties with the web service authentication.The client request the web service . Firsty, the client need to login with user name and password. Then, the server will give the token(random/datetime/randomcode) back to access the web service. The client can request the web service with the token key. The web service need to authenticate the token whether it is correct or not.
Now, the following is my code. But I don't know how to continue add the code from the code projecet's web service authentication article. Please help me!

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
using System.Text;

namespace AuthWebApplication
{
    using System.Security.Cryptography;

    /// <summary>
    /// Summary description for WebService1
    /// </summary>
    [WebService(Namespace = "http://tempuri.org/")]
    [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
    [System.ComponentModel.ToolboxItem(false)]
    // To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line.
    // [System.Web.Script.Services.ScriptService]
    public class WebService1 : System.Web.Services.WebService
    {
        public WebService1 ()
        {

        //Uncomment the following line if using designed components
        //InitializeComponent();
        }
        //public AuthHeader SoapAuthentication;

        [WebMethod(Description = "A sample Web Method to demonstrate a simple web Service Authentication using SOAP Headers")]
        public string SampleWebMethod(string Username,String Password)
        {

       if (Username == "demo" && Password == "123")
       {
              return Username + " is an Authenticated User to access the Web Method";
       }
      else
     {
           return "Access Denied for " + Username;
       }

}

Best regards,
Wai Mar Khaing

Posted 7-Sep-11 22:43pm

Wai Mar Khaing

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

BobJanova · Answer 1 · 2011-09-07T23:18:00

Do web services support a session? That would be the easiest, but I don't think they do.

The simplest option is simply to maintain a list of valid tokens and their last use (so you can expire them like web sessions). When you issue a token, add it to the list; whenever a service operation is called (or on a timer in a background thread, it doesn't really matter much), check if any tokens need to be taken off the list because they've expired; and, obviously, if you provide a logout method, the token that is logged out should be removed.

You can also bind tokens to an IP address, if they are designed to be short-lifetime, which prevents session hijacking but means that dynamic IP users might lose their token