NetWebService - prohibit access

[Wolfgang Orth]

Hello Bruce and all!

A NetWebService is exposed to all and everyone, who is able to call the WSDL-page.

The project I am working on, has several NetWebServices. At a later stage we consider to allow other vendors to access some of them. There is a good chance that some vendors will not get access to each, but just a limited number of NetWebServices. However, the WSDL-page "exposes" all methods and every parameter.

My idea now is to include a sort of authentification in each SOAP-request. The NetWebService will then check, whether this vendor is entitled to request this specific service. Like:

IF PermittedAccess(ReceivedVndorID, ReceivedVendorPW, ThisWebService) = TRUE
etc
ELSE.

PermittedAccess() does a simple SET / NEXT or ACCESS:Vendor.Next() and will RETURN a found or not found (TRUE / FALSE).

Does my explanatiuon makes any sense and is there any downside? Any better approach?

Thanks in advance,
Wolfgang

[Bruce]

Hi Wolfgang,

>> However, the WSDL-page "exposes" all methods and every parameter.

The WSDL _should_ document all the calls. The client program needs to be able to "do everything" - the "limit" is at runtime based on what the local user is allowed to do.

>> Does my explanation  makes any sense and is there any downside?

you can certainly add credentials to be included in each service request. Inside the service it's trivial to test the credentials, and do a
p_web.AddServiceError if the credentials fail. Something like;

p_web.AddServiceError(1,'Authentication','','Authentication Failed','')

>> Any better approach?

Another approach is to offer a "login method" which users call first. This gives them a session cookie, and as long as they include the cookie in subsequent requests they'll "keep" their logged-in status.

You would still do the test with each API call - but they don't have to pass their credentials with each request - which is probably better. The downside is that they need to know how to receive the cookie, and include it in future requests. In NetTalk WebClient this is a very, very, complicated operation. You need to add a whole line of code to the program.

net.OptionAutoCookie = true

before you make your first request....

Cheers
Bruce

[Wolfgang Orth]

Thank you for your quick reply, Bruce!

> Something like;
> p_web.AddServiceError(1,'Authentication','','Authentication Failed','')

Sounds like an easy way to respond with an error.


>>> Any better approach?

> Another approach is to offer a "login method" which users call first.

Its not about the users, but to limit other vendors.

The idea is to grant access to other vendors and let them integrate oder data into their products. Our software is a suite with several different programs, like a program that enables the Hospital Administrator to maintain the suite. Another software vendor does not need to access those data, therefore I would like to prohibit even accidentel access.

[Bruce]

I used "users" here in the context of web client programs.

ie "programs" call the Login Method first (not the visual web Login page, but a Login method you create in your service to do the authentication.)

Cheers
Bruce

[peterH]

Wolfgang,
I've sent a PM to your info-mail.

Peter