I have a few questions regarding how to authenticate / authorize using asp.net MVC.
I have a bunch of WCF services that authenticate / authorize the user by passing username and password for each request (I check the use of the HttpModule and capture the authentication event in WCF). It uses the aspnet membership in this HttpModule to validate the user, and also installs Principal, so I can have roles in my services (these services are shared between our different clients, so I need to save how it works).
Now I want to create an MVC project that can call these services, but I do not want to save the username and password in the session and pass it on to every request.
I have a script with a few spaces in it if anyone can help me!
I enable the AuthenticationService service that WCF offers at the WCF service level.
In my MVC project, I add form authentication and decorate my methods with the authorize attribute, which redirects me to the login page if I have not logged in.
On the login page, when the user gives his username and pwd, I call the WCF authentication service to log in my user. Then I extract the authentication token from this and save it in the session.
The next time I want to call the WCF service at my service level, I retrieve this token and add it to the header of my request.
In the HttpModule that validates my user on the service side, I check to see if it has a valid OR token if its a valid username or password (to make it easier for other people calling these web services).
If so, it accepts the request and returns the correct data.
Does this sound like the right way to approach this?
Any help is appreciated.: / Thanks in advance! Nile
source share