How do I efficiently authenticate the user calling the web service?
In a multi-server environment, users will be able to use the page to post, update, or delete files on servers. I was considering using a web service (on each server) called by an IIS thread to get the job done (using the aspx control page).
However, for obvious reasons, I really don't want anyone to be able to call this web service (by POSTing a well-formed request from their machines).
I am wondering what would be the most efficient (in terms of complexity, scalability) way of providing web service access to my page (token? Sending the current user-principal? I have no access to their password, so sending a login / password pair is not out of the question)
source to share
You should be able to get the user calling the web service by getting the IPrinciple stored at:
IPrinciple _currentUser = HttpContext.Current.User;
Once you get the current user, you can do your check to see if that user has permission to do whatever action they try to do, either by checking to see if the user is in the correct role, or whatever other means you have configured to check permissions.
source to share
You can bind the SHA1 hash to the IP address for each incoming request generated by a combination of browser (like MSIE6.0 or FireFox3), IP address, username (if possible) and / or time and store it in DB (maybe sqlite ) with an expiration time that is appropriate for the file upload / transfer to complete (say 1 hour). Therefore, for each request, you can check the associated hash with the IP address.
If by page you mean through the browser, then I suggest using a cookie to carry the hash.
Note. I say SHA1 hash because it's 160 bits long (40 bytes). So collisions are not easy to come by, especially if you are using time in conjunction with something unique to the user to generate a digest.
I am working on C ++, so I have implemented similar functionality in a CGI application.
source to share