Best Practice Security

[Steve B.]

Hi,

I've build an application based on some Web Services.

Web Services are separated across some asmx files, according the business
service it provides.

In each web service, there are some webmethod that are accessible for all
users, and some others one that requires more rights.

What is the best way to set up the webservices?

I'm using NT authentication, and I'll create some NT groups to create roles
in the app.
Is it the "correct" way ?

How can I allow or deny a specific web method within each asmx files ?

Thanks,
Steve

 

[Guest]

I'd suggest using different asmx files for each level of security required.
You can apply Windows ACLs to restrict access by file.

You can also put each file in its own subdirectory and use Windows security
to restrict access to the subdirectory or you can put a web.config in each
subdirectory with just an Authorization subsection (and appropriate
supersections as required) to limit access using the "Allow" element. All of
the rest of the configuration settings will take the parent (either a higher
level folder with a web.config or the machine.config if no higher level
web.configs exist) level setting and only the permissions will be set for the
subfolders.

As a last resort, if you want to limit access by WebMethod, you'd have to
use impersonation and Windows integrated security on the clients, and use an
IPrinciple.IsInRole method to establish the group membership for the user and
just code the method to throw an exception or do nothing if the user is not
authorized.