The UserManager Web Service
The solution to the partial-trust problem is to wrap the ASP.NET providers with a web service. When using a web service, none of the security permission demands made by the providers will ever make their way back to the client.
Using a web service also has the advantage of better scalability, since only the web service will be using the connection to the database, rather than each individual client application. Another benefit of a web service is that it avoids potential security issues with clients authenticating themselves against SQL Server and secure connection string management on the client side. There are, however, a few considerations to bear in mind when using a web service:
- Privacy
You should secure the communication between the clients and the web service, because the clients will be sending credentials over the wire. This can easily be done using HTTPS.
- Additional call latency
This should be resolved using role caching.
- Authenticating against the web service itself
This may not be an issue in your Intranet environment if you can sustain anonymous access to the web service.
- Authorizing the web service calls
The web service allows callers to retrieve role information about a user. Role-membership information may be sensitive information on its own right—this can be dealt with by adding role-based security to the web service and authorizing the callers. Note that authorization requires authentication.
Using the technique described in Appendix A ...