Web Service, Web Application Security in .NET Framework

Posted: December 16, 2010 in ASP.NET, Web Development
Tags: , ,

Following link has simple and good information about how Authentication/Authorization can be done on web pages/web services in intranet and internet enviroments using IIS, Web.config …


Brief conclusion of above link (follow the link for step by step trails …)


  • Windows authentication
    • Integrated Windows authentication – client machine computes a hash value by encrypting the user’s credentials and send it to the server
    • Basic and basic with SSL authentication – client does not generate hash value but values will be first encoded using base64 before transmitting. Its not secure bcos anyone who knows how to decode base64 string can easily decode it. So Basic wih SSL is secure.
    • Digest authentication – New type of authentication available from W2k OS and IE5+. In this user credentials will be sent on wire after encrypting them using MD5 (Message digest 5) hashing mechanism.
    • Client Certificate authentication – There are two types of certificates — server certificates and client certificates. Server certificates ensure that the identity of the server is valid and we can trust it; similarly client certificates ensure that the identity of the client is valid and the client can be trusted.
  • Forms authentication – ASP.NET redirects the unauthenticated users to a login page that can be configured in the Web.config file which intern authenticate the user by checking the provided user ID and password against some user database
  • Passport authentication – Passport authentication, a centralized service provided by Microsoft, offers a single logon point for clients. Unauthenticated users are redirected to the Passport site. Similar to the Forms authentication, this redirection might create problems for clients, unless they are programmed to handle the case of redirection.
  • None or Custom Authentication – Out of the all authentication methods, except for Forms and Passport authentications all other methods require Windows accounts for implementing security. Creating and maintaining Windows accounts for a Web application might create problems when scaling an application for more Web servers because we also have to duplicate all the Windows accounts and permissions on other Web servers.

There are some ways to provide custom authentication for our Web Services, for example –

  1. Accept a username and password as a parameter to our method calls
  2. Provide a logon method for our clients to call before they call any other business method. In that logon method, we can verify their credentials and issue them some kind of key to use in future method calls.
  3. Use SOAP headers for passing authentication information


  • Windows NTFS file authorization – use that ACL (Access Control List) for authorization services
  • ASP.NET URL authorization – access is granted or denied for web page or service urls based on different application criterias defined in Web.config file.

More advanced ideas …

For securing SOAP header which may have sensitive  info like user id/pwd, you can use SOAP Extension to intercept the SOAP message and encrypt/decrypt at client/server side using SoapExtension class + ChainStream, GetInitilizer, Initialize, ProcessMessage methods. Refer below link for step by step trails ..


Refer below link for customizing ASP.NET security and writing our own HTTP handlers and modules …



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s