There are also plenty of reliable authentication mechanisms that do work
with web services, such as all of the various HTTP auth protocols (basic,
digest, integrated, client certificates, etc.) and message level protocols
like WS-Security as implemented in WSE and WCF.
You can certainly provide a reliable authorization framework using one of
these to authorize your callers. You certainly want to validate all inputs
carefully, as you should do with any public API.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net --
[quoted text, click to view] "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:ea4ewIQpGHA.756@TK2MSFTNGP05.phx.gbl...
> There is no reliable way to identify calling code over a network. The
> only interaction with the calling code is data sent over the wire, and any
> data used to identify the caller can be spoofed by a malicious caller.
> Since attempting to verify calling code identity is essentially a waste of
> time, your efforts would be better placed on ensuring that your web
> service functions correctly even when invoked by an "unexpected" caller.
> For most applications, this would involve not trusting self-declared
> client user identity and re-validating all data on the server side.
>
>
> <ajfish@blueyonder.co.uk> wrote in message
> news:1152632395.879802.205480@s13g2000cwa.googlegroups.com...
>> Hi,
>>
>> I have a client/server application where the server uses asp.net web
>> services.
>>
>> is there any way I can use code signing, strong names or whaterver to
>> verify the identity of the client code across the web service call?
>>
>> TIA
>>
>> Andy
>>
>
>
