Hi Wolfgang,
>> However, the WSDL-page "exposes" all methods and every parameter.
The WSDL _should_ document all the calls. The client program needs to be able to "do everything" - the "limit" is at runtime based on what the local user is allowed to do.
>> Does my explanation makes any sense and is there any downside?
you can certainly add credentials to be included in each service request. Inside the service it's trivial to test the credentials, and do a
p_web.AddServiceError if the credentials fail. Something like;
p_web.AddServiceError(1,'Authentication','','Authentication Failed','')
>> Any better approach?
Another approach is to offer a "login method" which users call first. This gives them a session cookie, and as long as they include the cookie in subsequent requests they'll "keep" their logged-in status.
You would still do the test with each API call - but they don't have to pass their credentials with each request - which is probably better. The downside is that they need to know how to receive the cookie, and include it in future requests. In NetTalk WebClient this is a very, very, complicated operation. You need to add a whole line of code to the program.
net.OptionAutoCookie = true
before you make your first request....
Cheers
Bruce