Not a code question but more of a pattern. Can anyone point me in the direction of good practice handling with regards to webmethods exposed to Jquery controls with JSON and good security?
In brief, our asp.net pages utilize windows authentication with calls to user objects with roles etc. This is then stored in a session and accessed across webpages. Now utilizing a webmethod and ajax call, I can windows authenticate the user via Thread.CurrentPrincipal.Identity and add the relevant IIS security options on the web method but I obviously then need to do a user retrieval and all its roles and access rights. This would be fine if utilizing webservices with sporadic calls but here I have a webpage with cascading drop downs and I'd hate to have to check security rights ( not IIS ) in every webmethod call as I can't access sessions ( because I assume its outside of scope for the call ) and I don't want to have any form of security/rights info transfered to the client, rights should be determined by user on the server.
Any directions, paths , patterns that are common that I can look at?