Read up on "code access security". Rather than accepting authentication and
authorization information via your API, demand appropriate permissions inside
your implementation and let the Framework implement the security for you.
"Giammarco" wrote:
> Hi all,
>
> I'm developing an ASP.NET website and thinking about releasing the API
> through webservices in a couple of months (like flickr.com let's say).
>
> Most of the website functionality is restricted to authenticated users.
> Users are classified in different roles, and different roles can take
> different actions.
>
> E.g. Guest can call a function to delete one of his articles, but
> cannot call a function that can delete any article (which can be called
> by an Administrator).
>
> I would like to ask how would you handle user authentication and roles,
> considering that I have to release the API?
>
> The following is an example of the parameters I need to pass to a
> "DeleteArticle" function called from a asp.net page that is accessible
> only to authenticated users.
>
> public bool DeleteArticle(articleID, UserID)
> {
> // delete article
> }
>
> The same function called from the API, could look like this if
> authentication and roles are not planned with the webservices in mind.
>
> public bool DeleteArticle(articleID, userID, userPassword)
> {
> // check username and password and authenticate
> // check if user can delete article
> // delete article
> }
>
> Thanks in advance,
> Giammarco
>
>
|
Similar Threads
