Click here to Skip to main content
15,905,508 members
Please Sign up or sign in to vote.
0.00/5 (No votes)

In our product setup we have some separate webservices that are hosted as a single site.
The webservices come from separate .NET projects. This is so that all webservices can be maintained as separate products with separate release versions.

They are installed together within a single site as webapps underneath this site.


The problem we have is that sometimes webserviceA requires to call webserviceB.
But how do you do this? The /site requires the user to logon.

Next this we have hangfire that runs jobs in the background. This proces will run under the credentials of the application pool user. Which is not added to the group which is allowed to access the site.

There is an admin user. And we can select this from the membership provider, but how do we pass the credentials?

What I have tried:

Right now, we are just creating a temporary user with a generated password.
Logon with this user through a cookie aware webclient.
Do the call.
Delete the user.

This works, but it cannot be the right way to do this.
Updated 1-Aug-17 22:49pm
Thomas Nielsen - getCore 1-Aug-17 4:14am    
Doesn't it work simply to put [authorize] on the services and use a path for routing and let .net handle the rest? It's perfectly standard to define services in libraries and just merely instantiate them, doesn't relate to anything but the identity is authorized and it will be if the user is logged in who do you need to explicitly handle the situation of the login as it relates to services, doesn't your users have access to use the service?
Sebastiaan Meijerink 1-Aug-17 4:18am    
I need to call one webservice from another inside the C# code itself. Not from the client perspective.

Thomas Nielsen - getCore 1-Aug-17 5:37am    
But you have a call chain with authenticated identity accessing your first service?
First service does run with [Authorize] attribute??
Sebastiaan Meijerink 1-Aug-17 5:49am    
Not if it is running a background proces. Then there is no first service call
Thomas Nielsen - getCore 1-Aug-17 6:16am    
ok, well if you're using webapi in the first case, you're already running asyncronously to your website so there really is no reason to use background services or tasks within the actual method call, if that means that you'll loose your identity is there? And if you do you can pass the identity information as state.
How your actual code looks or a mockup of it is essential to anybody inhere being able to help properly :) *hint*

1 solution

For what you're trying to do, connecting from one web service to another service without using passthrough authentication it seems you'll need to authenticate usage of that service in another way.

So there's always indigo or WCF as it came to be called. Windows Communication Foundation is the enterprise 'serious' way of binding together enterprise services. it supports a range of protocols and authentication methods, one is authenticatino by certificate and basically that gives you the option of creating your own X509 certificate and registering on both endpoints (service access points) and then essentially you bypass the user credentials aspect by using that machine authentication method.

Web api is essentially designed to service clients requesting http or https. WCF can use a range of protocols for instance net.tcp which is way faster in terms of not having the http bloating ... don't get me started on thisone :))

Anyway, to continue in your case that your web api host authenticates to your other service with a certificate is hightly secure, found this article i think will help you out and if not the web is overflowing with examples.

Nine simple steps to enable X.509 certificates on WCF[^]

There's also somebody doing this for web api requests and eventually succeeds, but i doubt that won't take a lot of extra work on your behalf to make happen, especially if you're using ajax c# - How to use a client certificate to authenticate and authorize in a Web API - Stack Overflow[^]
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900