I am finally converting my web service login and authentication procedures for one of my big production apps. Currently it is using straight web services, with a combination of soap headers and a System.Web.Security.FormsAuthentication ticket which is returned to the client as an encrypted string to be sent back with future requests as well as cached on the server. Lastly, I have a little user class that stores some details about the user that are used for authorization on the client end.
It’s somewhat similar to a secure conversation model because my token also times out every two minutes and has to be regenerated, but I don’t have to authenticate on every single message.
But an interesting difference is that I am explicitly authenticating at the user login (like we always have done, right?) whereas with the ws-security model, I will authenticate along with my actual requests. So if I were CODING all of this (which I’m not sure if I choose between hand coding in order to drill the stuff in to my brain better, or if I will just use the config tool and let that and policies do the grunt work for me — and if you saw what a GORGEOUS day it is out – you’d probably vote for the latter, too! :-)) …where was that sentence? Oh yeah, I will basically strip out the authentication that happens at login.
Thereare some cases where I am doing application updating and I require authentication at login for that process also. But for the other apps, I get to just rip out SO MUCH CODE – yippee – on both the client side and the ws side. Currently, on the client side, I am stuffing the token in the header of every ws call, so I won’t have to do that any longer. On the ws side, every method takes that token and checks against the cache to see if it’s still valid. So I get to take that code out. If it’s not valid, I was returning nothing to my client and the client has to send back the login/pw (which is still available to the app) and get another token. So all *that* code can go, too.
Rip rip rip, delete delete delete.
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!