Authentication for Web Services

Our Process Flow

Now let's take a look at the details of how we implemented the authentication method that we just outlined. The code necessary to create the databases, populate the tables with some sample data, as well as the code for the Login method and the aspx file used to test it are in a .ZIP file accessed through the "Download Source Code" link above. The flow through the process is as follows

Figure 1 - Authentication Process Flow

  1. The initial call to the web service is made through the Login method. The company code, user id and password are provided as parameters. For security reasons, this call will take place over SSL.
  2. The web service uses the Login method of the CLogin object to validate the credentials. The parameters to the method are the same as the initial call to Login. The result will be either a 33-character token or a blank string.
  3. The Login method invokes the stored procedure called prcValidateUser on the Token server. The result will be a recordset (or more accurately, a Data Reader) containing either a 33-character token or a blank string.
  4. The stored procedure prcValidateUser using the information in the Company table to identify the server on which the database can be found and the name of the database itself. This information in turn is used to build the statement that gets executed on the remote server.
  5. Through the stored procedure called prcValidateUser that is in each company's database, we validate the credentials that have been provided.
  6. If a match has been found, then a token gets generated and returned up the chain. As mentioned in the previous section, we use a check digit as part of the process. The value of the token, along with the company and user associated with it gets stored in the Tokens table.

At this point, we have the security token that we need to make the rest of the functions work. You will see it put to use in future articles. As for the next segment, we will discuss the technique that we use to support the authorization portion of the server. As always, any suggestions or improvements are greatly appreciaed. Keep those cards and letters coming. :)

You might also like...


About the author

Bruce Johnson Canada

I am the owner of a small application development consulting company that specialized in the design and implementation of Internet-based applications. While there are others who can make a web ...

Interested in writing for us? Find out more.


Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“Linux is only free if your time has no value” - Jamie Zawinski