When using web services with DotNetNuke, there are three primary methods to secure the web services that I use:
- Using Http Context – When a user logs into your DotNetNuke website, their web browser is given a “authentication token” in the form of a cookie. Web service calls made using Ajax or Silverlight, use this cookie for authentication. This cookie will “time out” like a normal log in if it is not used for a period of time (usually 20 minutes).
- Using A “Custom Token” – SilverlightDesktop.net uses this to provide a token that wont time out.
- Authenticating Manually – IWeb uses this method to allow you the most flexible authentication.
Using HTTP Context
This is the simplest method. You can download a simple module that demonstrates this at this link.
First, the user must be using a web browser (this includes Ajax), or a plug-in running in a web browser such as Silverlight (this does not cover Silverlight running out of browser or on Windows Phone 7).
Next, you just use a web method such as this:
[WebMethod]
public string GetUsername()
{
string strUsername = "World!";
// Get the current user
UserInfo objUserInfo = UserController.GetCurrentUserInfo();
// If the user is not -1 they are logged in
if (objUserInfo.UserID > -1)
{
strUsername = objUserInfo.DisplayName;
}
return strUsername;
}
That's it. if they are logged in, their UserID will be greater then –1. The only problem with this method:
- They will time-out if they have not made any calls, and their IIS authorization token has expired
- This will not work with any non web browser (or web browser plug-in) situation
Authentication Using Custom Token
SilverlightDesktop.net creates a special “user authentication token” and passes it to the Silverlight application:
objUser = DotNetNuke.Entities.Users.UserController.GetCurrentUserInfo();
string strSilverlightPassword = Authendication.SetSilverlightKey(objUser, ModuleId, strIPAddress);
The application uses this password on all web service calls. The advantage of this approach, is that the password will not “time-out”. The user can keep the screen open for hours and never need log-in again. Also, their real password is not transmitted over the network.
The “SetSilverlightKey” code is a bit complex, because it contains code that prevents a hacker from trying to guess passwords (scrambles the password on each bad attempt), or locking a user out by guessing wrong (it tracks the last IP address a user has used, and only scrambles a password if it came from the same IP “block” that the user last logged on to). It also prevents a hacker from using the correct password if it comes from a different IP block.
Ripping out the “SetSilverlightKey” code for your own use is easy, as SilverlightDesktop.net provides you with full source code.
The negative of this approach is:
- This will not work with any non web browser (or web browser plug-in) situation
Authenticating Manually
You may have heard of IWeb. This is a long running project created by The Open Light Group (Ian Lackey and myself).
The real purpose of this module is to allow you to easily warehouse web methods for enterprise situations. It allows you to easily set security access of Web methods you create, by DotNetNuke role.
The thing that it does in relationship to this article, is that it authenticates a user from outside of DotNetNuke. This will work for things such as Windows Phone 7, and out of browser Silverlight applications.
You do not need to use IWeb if you don’t need all it’s features, you can just grab the source code from http://iweb.adefwebserver.com. It’s available in VB and C#.
Basically, start ripping out the code starting with the code in Webservice.cs (or .vb) that looks like this:
IWebAuthendication objIWebAuthendication = new IWebAuthendication(IWebCredentials);
if (!(objIWebAuthendication.ValidAndAuthorized()))
{
return "0,Not Authorized";
}
This article covers using IWeb with Ajax and you may also find it helpful:
http://www.adefwebserver.com/DotNetNukeHELP/Misc/Dotnetnuke_Secure_AJAX_webservices.htm
The negative of this approach is:
- You are transmitting the Users DotNetNuke username and password with each web service call. However, you can transmit using SSL, and IWeb does allow you to encrypt passwords (you use the same “encryption key” on both the client and the server).