New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

Creating Secure DotNetNuke ASP.NET AJAX Web Services - *Updated*

This article will cover what is needed to implement secure web services for use with ASP.NET AJAX in the DotNetNuke Framework. (This only applies to DotNetNuke 4.5.0 or higher)

Also see:

The Problem

When implementing ASP.NET AJAX in your DotNetNuke module, you will usually discover that calling web services from your client-side code is an efficient method for accessing data because the web services can also be used by other programs, allowing you to reuse the code.

The problem with this strategy is that the web services need to be secured and you do not want to transmit unencrypted passwords over the network. Simply encrypting the passwords is not enough because the username / encrypted password combination can be captured with a packet sniffer or retrieved from the web browser cache and used to access the web service. 

The Solution

Using the IWeb module you can easily create secure web services.

Download and install IWeb

Download and install IWeb from It will create files in a IWeb directory in the App_Code folder:

and in a IWeb directory in the DesktopModules folder:

When you place an instance of the module on a page in your DotNetNuke site, you will see the IWeb main screen that provides links to the sample web services client as well as a link to the IWeb configuration page.

Clicking Edit IWeb Configuration will take you to the IWeb configuration screen.

Create an IWeb Web Services Method

In Visual Studio 2005 (or Visual Web Developer Express), right-click on the IWeb folder under the App_Code directory

and select Add New Item.

Select Class for the template and enter GetUser.vb for the name and click Add. Enter the following code for the class

Imports System.Web
Imports System.Web.Services
Imports System.Xml
Imports System.Web.Services.Protocols
Imports System.Web.Script.Services
Namespace DotNetNuke.Modules.IWeb
    <ScriptService()> _
    Partial Public Class WebService
        <WebMethod(Description:=" GetUser *DotNetNuke* |ASP.NET AJAX| #IWEB Misc# !Portal! ")> _
        <ScriptMethod()> _
        Public Function GetUser(ByVal PortalID As Integer, _
        ByVal UserID As Integer, ByVal Username As String, ByVal Password As String, ByVal ModuleId As String, _
        ByVal WebPageCall As Boolean, ByVal Encrypted As Boolean) As String
            Dim objIWebAuthendicationHeader As New IWebAuthendicationHeader()
            objIWebAuthendicationHeader.PortalID = PortalID
            objIWebAuthendicationHeader.Username = Username
            objIWebAuthendicationHeader.UserID = UserID
            objIWebAuthendicationHeader.Password = Password
            objIWebAuthendicationHeader.Encrypted = Encrypted
            objIWebAuthendicationHeader.WebPageCall = WebPageCall
            objIWebAuthendicationHeader.ModuleID = ModuleId
            Dim objIWebAuthendication As New IWebAuthendication(objIWebAuthendicationHeader)
            If Not objIWebAuthendication.ValidAndAuthorized() Then
                Return "Not Authorized"
                Dim objUser As UserInfo = IWebUserInfo.GetUserInfo(PortalID, UserID, Username, Password, ModuleId)
                Return "DisplayName: " & objUser.DisplayName & " - Email: " & objUser.Email
            End If
        End Function
    End Class
End Namespace

A few things to note about the code above:

  • The class is declared Partial because it is compiled with the other IWeb methods. This allows all the web service methods to use the same web service entry point.
  • objIWebAuthendication.ValidAndAuthorized and IWebUserInfo.GetUserInfo are the methods that will save you a lot of code that you would otherwise have to create. If you do not wish to use IWeb you can copy and use the code. However, if you want to implement password encryption, you will have to copy about half of the IWeb code. If you use IWeb as it is, you will benefit from future upgrades.

Return to the IWeb configuration page and click the Refresh Web Methods link.

The GetUser method will show up. Change the Security Setting to Registered Users. Enter a value in the Encryption Key box and click the Update button.

Create The DotNetNuke User Control

In Visual Studio 2005 (or Visual Web Developer Express), create a folder under the DesktopModules folder called AjaxIWebSample. Create a DotNetNuke User Control, (see the tutorial Creating a  Super-Simple DotNetNuke module for information on how to create a DotNetNuke User Control) and a JavaScript file using the code available at these links below (you can also download the sample code and install it using the Install New Module page on the Host menu under Module Definitions):

Your folder should look like the following:

Configure the module and place an instance of it on a page in your DotNetNuke website (see the tutorial Creating a  Super-Simple DotNetNuke module for information on how to create a module configuration). If you download and install the sample code, the module configuration is done for you. You will only need to place an instance of the module on a page in your DotNetNuke site.

When you place the AjaxIWebSample module on a page it will look like this:

This is a sample of the code that is generated in the page for the Get User Info button:

<input type="button" name="dnn$ctr380$View$btnGetUserInfo" value="Get User Info" onclick="GetUser(0,1,'myuser','67324567825373',true,false);; return false;__doPostBack('dnn$ctr380$View$btnGetUserInfo','')" id="dnn_ctr380_View_btnGetUserInfo" />

When a user is logged in and they click the button:

  • The code in the button calls the GetUser function in CallWebServiceMethods.js
  • The GetUser function in CallWebServiceMethods.js calls the GetUser method in the web service (GetUser.vb)
  • The GetUser method in the web service returns the value to the SucceededCallback function in CallWebServiceMethods.js
  • The SucceededCallback function in CallWebServiceMethods.js inserts the value in the <Div></Div> tags in View.ascx

Secure Web Services

This method provides secure web services because:

  • The DotNetNuke password is never displayed on any page or transmitted over the network.
  • The password changes each time the page is accessed so a page (and the username / password combination) retrieved from the web browser cache (for example if the page were accessed at a public internet cafe) will contain a password that has either been changed, expired, or due to expire soon (the last username / password combination expires after 1 hour. This can be set to a lower number for greater security).

Setting Dependency

In the sample code the configuration has been set to require that the IWeb Core be installed first.

If IWeb Core is not available the installer will not install the module and will show an error:

Download the code at this link.


Comment Form

Only registered users may post comments.


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out