locked
Security/Authentication using Service Operation RRS feed

  • Question

  • Hi All,

    We're developing a wcf data service that only will be used from third party applications. Currently we have two consuming applications, one iPhone application using the objective-c sdk at codeplex and one web application using Jsonp (our services are jsonp enabled).

    The service requires that the consuming applications users log in before using the service. The log in process should be managed from within the calling application, i.e. the user shall not log in using a form in our solution.

    Currently I have a Login service operation which the calling applications use to log in the users. The Login operation basically verifies the credentials, username and password, against our database and sets a Forms authentication cookie if the login is successfull. NOTICE! The service uses SSL, i.e. the user's credentials are NOT sent in plain text.

    So far everything works fine except one thing, since I've specified forms authentcation in web.config the server send a 302 redirect to login.aspx (default behavior) even though I don't have a login.aspx page.

    So to my questions.

    1. Is it ok to use a service operation as login mechanism?

    2. Can I use forms authentication as described above but overriding the 302 redirect behavoir?

     

    BR, Max.  

     

     

    Tuesday, January 11, 2011 9:31 PM

Answers