ASP Net - Best Practice Security

01-25-2006, 10:02 AM

Hi,

I've build an application based on some Web Services.

Web Services are separated across some asmx files, according the business
service it provides.

In each web service, there are some webmethod that are accessible for all
users, and some others one that requires more rights.

What is the best way to set up the webservices?

I'm using NT authentication, and I'll create some NT groups to create roles
in the app.
Is it the "correct" way ?

How can I allow or deny a specific web method within each asmx files ?

Thanks,
Steve

Steve B.

01-26-2006, 04:03 AM

I'd suggest using different asmx files for each level of security required.
You can apply Windows ACLs to restrict access by file.

You can also put each file in its own subdirectory and use Windows security
to restrict access to the subdirectory or you can put a web.config in each
subdirectory with just an Authorization subsection (and appropriate
supersections as required) to limit access using the "Allow" element. All of
the rest of the configuration settings will take the parent (either a higher
level folder with a web.config or the machine.config if no higher level
web.configs exist) level setting and only the permissions will be set for the
subfolders.

As a last resort, if you want to limit access by WebMethod, you'd have to
use impersonation and Windows integrated security on the clients, and use an
IPrinciple.IsInRole method to establish the group membership for the user and
just code the method to throw an exception or do nothing if the user is not
authorized.

--
Dale Preston
MCAD C#
MCSE, MCDBA

"Steve B." wrote:

> Hi,
>
> I've build an application based on some Web Services.
>
> Web Services are separated across some asmx files, according the business
> service it provides.
>
> In each web service, there are some webmethod that are accessible for all
> users, and some others one that requires more rights.
>
> What is the best way to set up the webservices?
>
> I'm using NT authentication, and I'll create some NT groups to create roles
> in the app.
> Is it the "correct" way ?
>
> How can I allow or deny a specific web method within each asmx files ?
>
> Thanks,
> Steve
>
>
>

=?Utf-8?B?RGFsZQ==?=

01-26-2006, 04:03 AM	#2
=?Utf-8?B?RGFsZQ==?= Posts: n/a	RE: Best Practice Security I'd suggest using different asmx files for each level of security required. You can apply Windows ACLs to restrict access by file. You can also put each file in its own subdirectory and use Windows security to restrict access to the subdirectory or you can put a web.config in each subdirectory with just an Authorization subsection (and appropriate supersections as required) to limit access using the "Allow" element. All of the rest of the configuration settings will take the parent (either a higher level folder with a web.config or the machine.config if no higher level web.configs exist) level setting and only the permissions will be set for the subfolders. As a last resort, if you want to limit access by WebMethod, you'd have to use impersonation and Windows integrated security on the clients, and use an IPrinciple.IsInRole method to establish the group membership for the user and just code the method to throw an exception or do nothing if the user is not authorized. -- Dale Preston MCAD C# MCSE, MCDBA "Steve B." wrote: > Hi, > > I've build an application based on some Web Services. > > Web Services are separated across some asmx files, according the business > service it provides. > > In each web service, there are some webmethod that are accessible for all > users, and some others one that requires more rights. > > What is the best way to set up the webservices? > > I'm using NT authentication, and I'll create some NT groups to create roles > in the app. > Is it the "correct" way ? > > How can I allow or deny a specific web method within each asmx files ? > > Thanks, > Steve > > > =?Utf-8?B?RGFsZQ==?=

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Computer Security Information and What You Can Do To Keep Your SystemSafe!	Ann.Anderson.group.com@gmail.com	A+ Certification	0	12-06-2007 01:55 AM
Computer Security	aldrich.chappel.com.use@gmail.com	A+ Certification	0	11-27-2007 02:11 AM
Computer Security Information (Free Articles and eBooks)	aditya.jaiswal.com.use@gmail.com	DVD Video	0	10-10-2007 04:53 AM
The Practice Test Package Development: A New Service on the Certification Market	David Johnson	A+ Certification	0	01-19-2005 10:52 AM
Re: Source of online practice exams & notes wanted	JesseTX	A+ Certification	1	12-04-2003 02:02 AM

01-25-2006, 10:02 AM	#1
	Best Practice Security Hi, I've build an application based on some Web Services. Web Services are separated across some asmx files, according the business service it provides. In each web service, there are some webmethod that are accessible for all users, and some others one that requires more rights. What is the best way to set up the webservices? I'm using NT authentication, and I'll create some NT groups to create roles in the app. Is it the "correct" way ? How can I allow or deny a specific web method within each asmx files ? Thanks, Steve Steve B.