Authorizing Access to a Web Service

The Web Services Enhancements for Microsoft .NET (WSE) supports role-based security for authorization of SOAP messages. Role-based security is based on the notion that a set of identities, known as principals, can be grouped into roles, and then a policy can be applied to each of the roles. For example, an application might impose limits on the size of the transaction being processed depending on whether the user making the request is a member of a specified role. Clerks might have authorization to process transactions that are less than a specified threshold, supervisors might have a higher limit, and vice-presidents might have a still higher limit (or no limit at all).

Role-based Authorization

WSE supports role-based authorization of SOAP messages by constructing a principal from a security token within the SOAP message. Because there can be more than one security token within a SOAP message, WSE allows the application to determine which security token is used for authentication and authorization.   When the SOAP message contains a security token based on a user name and password or a Kerberos ticket, the contents of the security token are used to authenticate against a Windows account. If the credentials are authenticated, a Windows principal is created and assigned to the Principal property of the security token that is used to sign the SOAP message. Using that Principal property, code within a Web service method can determine whether a given role is authorized to execute all or portions of the Web service method. Alternatively, role-based security can be set declaratively by using policy. For more information, see How to: Secure a Web Service Using a Policy File.

See Also

Tasks

How to: Authorize the Message Sender Based on a User Name and Password
How to: Authorize the Message Sender Based on a Kerberos Ticket

Other Resources

Authorization Primer