authentication - WCF services: passing a token to validate a subscription and get database info -
I am creating a smart client application using the net client. A Winforms client connecting through WCF services to recover data from SQL Server 2008. I will send the username / password (encrypted and on HTTPS) and return information such as:
- This user (under the current address
- Which server / database should be used in the connection string (not necessarily credentials) because people use different databases based on their subscriptions, etc. You can.
My first call is to send credentials when signing in, which is a lookup. A serigojable class will be used to create the token object (I think this is the way to handle it) which ends with server information, Database information will return.
Pass this token as a parameter for every service agreement (web method) or can I leave all my existing contracts Can I pass the token in a header or any other more universal method?
How do you suggest implementing a token system such as I describe?
< P> Thanks
For one, I only have one TokenID
- something specific ID, which clearly identifies the problem of users and their membership - all the time with the "Authentication" call notification There is no need to send the entire set back and forth - only the server side needs the service, so you can leave that information on the server and only if necessary, only consult it in your server code.
First call - Authentication call - Probably will check the credential being sent against the database table against a subscription table, and then after that information (which call on which call will be subscribed And possibly some kind of expiration date / time in a "Valid Collars" table and an ID (a GUID or something) from it. You may limit the "life-span" of TokenID - e.g. It is valid for 30 minutes or more - so that it can not be used continuously after hijacking and successful calls. The generated GUID is then returned from the authentication call as TokenID
and can be used as an identifier in each subsequent call.
Things that use the data server are actually no places in the back and forth messages - they are strictly important for the server-side service code - just leave it!
There is definitely a favorite practice to put such a "meta information" that does not have real value information for your calls in the header and search for it there. With the Message Inspector (and) or both - using the OperationContactescope (sample and) on the client and service side - WCF supports it fairly and easily. Both work are fine
Comments
Post a Comment