Geek Answers Handbook

How to authenticate between web service and mobile phone?

I want to make an application for a Windows Mobile 6 mobile phone. This application will talk to the web service that I want to do.

I don't know much about web services and the phone software application, so I got a couple of questions.

  • How to do authentication? How my user downloads my application and goes to the login page. They enter their credentials. This is sent to the server and authenticated. Now, what am I sending out? Is there some form of FormAuthentication?

  • After logging in, I must continue to do checks to check if they are logged in? As with asp.net mvc, I have AuthorizeAttributes in all my tags. Thus, no one can simply enter the URL to this action method and have access to it. But since this is an application, I'm not sure if they can (say) go to your registration form (first form), and then somehow, without logging in, go to your main form (after the login form).

  • Do web services have Authorized tags like asp.net mvc? Since I probably need something along these lines, so that no one types in my web browser my path to the web service and does not get access to all the methods that I did to them.

  • I am making an asp.net mpc application right now and when a user enters their credentials on my site. Sent what I guess is plain text? hashed to the server and then checked. I know, maybe someday when I can afford it, maybe get ssl to make it more secure.

So my question is, how about sending credentials from the phone to the server, will it be less secure than what I have for my site right now? About the same thing? What can be done to make it more secure (is it SSL again?).

thanks

+7
c # web-services asp.net-mvc
source share
2 answers

You can also use SOAP headers to transfer user credentials or an authentication token. You can find an article on how to do this on Authentication for Web Services (using SOAP headers) , but to summarize, you create a header class:

using System.Web.Services.Protocols; public class AuthHeader : SoapHeader { public string Username; public string Password; }

You define a public property in the web service

 public AuthHeader AuthenticationInfo;

and add some attributes to any web methods that you would like to use only for authenticated users:

 [SoapHeader ("AuthenticationInfo", Required=true)] [WebMethod] public string HelloSecretWorld() { if(!(AuthenticationInfo.UserName == "Hello" && AuthenticationInfo.UserName.Password == "World")) throw new AuthenticationException(); return "Hello World"; }

Client code will look like this:

 MyWebService ws = new MyWebService(); ws.AuthenticationInfo = new AuthHeader {Username = "Hello", Password = "World"}; Console.Out.WriteLine(ws.HelloSecretWorld());

This way you do not need to change the method signatures to add authentication.

+9
source share

I had to address this issue several times when connecting using hand-held applications (Windows Mobile) to web services. The solution I used was to create a cookie based on the hash of the username and IP address after the authentication process completed successfully. for example, the user ID and pwd correspond to the stored credentials on the server. You then pass this cookie to the client, which will then be sent along with all web service requests for the rest of the session. for example, the first parameter of any web method is a cookie.

pseudo code:

 string cookie = webServiceInstance.Authenticate("userName", "password"); double balance = webServiceInstance.GetBalance(cookie, someId);

Of course, you want to use SSL to not skip your user id and pwd in plain text.

0
source share

More articles:


All Articles