9

We're in the process of building a new web application stack. The back-end functionality will be heavily service based but as some of these services will need to be exposed to the public internet, I'll need to secure them. I've partially succeeded by locking down the service urls using standard membership/role provider model. The part I'm having trouble with at the minute is if we were to ever build an iOS (or Android) application on top of our Service Stack, how would we go about handling security?

I'm completely open to suggestions. I've included some information below on the setup so far.

  1. ASP.NET Website using SQL Membership/Role Provider / Forms Authentication running on a HTTPS connection. Only the Default/Login/FAQ Pages are publically accessible. All other pages live in a folder called "/Secure" which requires you to be authenticated.

  2. WCF WebService. All backed functionality is provided through this service. Endpoints are only available on the local intranet. the ASP.NET Website Code Behind talks to the service using a standard Service Reference.

  3. WCF REST/JSON Services. Some of the above functionality is re-wrapped in a WCF REST/JSON service. This was setup using the "WCF REST Template 40". The service are then routed using System.Web.Routing to "/Secure/jsonsvc/*". Because this is beneath the /Secure folder, it inherits the membership/roleprovider security for any request. e.g. xmlhttp calls to this service from a client side JQuery widget, would only work for users who had already logged into our site.

  4. In the future, these same WCF Rest/JSON services may need to be consumed by an external application (e.g. an IPad App). What would the best way to approach this be, given the lack of a HTTP Site/Session/Login context.

Eoin Campbell
  • 43,500
  • 17
  • 101
  • 157
  • The authentication mechanism that you mentioned in #1, is it also exposed as part of the webservice in #3? – momo Sep 07 '11 at 10:16
  • do you mean... is there a webservice version of the Membership Provider login method. No there isn't. and I'm not sure how that would even work. Even if I exposed a method which takes a username and password what would it return. The current version results the ASPXAUTH cookie value as part of the in browser xmlhttp requests. how would you simulate that in a native client. – Eoin Campbell Sep 07 '11 at 12:17
  • For most of the apps that we build, the login call of the webservice would return a session token that subsequent webservice calls have to include. You might be interested in the question that I recently answered http://stackoverflow.com/questions/7296729/handling-login-functionality-for-native-app-connecting-to-web-service/7296764#7296764. It might be applicable to your case. – momo Sep 07 '11 at 12:31

1 Answers1

11

As you know, the ASP.NET forms authentication uses a cookie to maintain your authenticated session. Leaving aside any arguments as to whether this is the best way to handle things under a REST methodology, I see no technical reason why you would not be able to use the same cookie in your iOS app.

You would obviously need either a simple login web page (displayed in your app via a UIWebView) or a login REST method to return the cookie to you in the first place, and then on subsequent requests you would simply return the cookie with the request (here is a little bit of information on handling cookies in iOS using the ASIHTTP library).

A couple of important things to keep in mind are that you do not have any control over the wireless network that the device is on so you should definitely be using SSL and also that you should take into account failures/retries/etc for a login REST method just as you would for a login page (if not more so).

Hope that helps!

David Brainer
  • 6,223
  • 3
  • 18
  • 16
  • 2
    +1 Good post. Task a look at the [FormsAuthentication Class](http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.aspx). You should be able to call [`Authenticate`](http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.authenticate.aspx) and [`SetAuthCookie`](http://msdn.microsoft.com/en-us/library/twk5762b.aspx) from a web service that exists outside of your other protected wcf services. Once authenticated, just make sure you are still passing the authentication cookie in subsequent requests. – Sam Sep 26 '11 at 14:29