How to do Authentication between a webservice and a mobile phone?

Question

I want to make a windows mobile 6 cellphone application. This application will talk to a web service that I want to make.

I don't know much about web services and programming app for phones so I got a couple questions.

1. How do I do authentication? Like my user loads up my app and goes to the login page. They type in their credentials. This gets sent to the server and authenticated. Now what do I send back? Is there some sort of FormsAuthentication?

2. After they log in do I have to keep doing checks to see if they are logged in? Like in asp.net mvc I have AuthorizeAttributes on all my tags. That way no one can just type in the url to that action method and be able to access it. But since this is an application I am not sure if they could (say) go your login form (first form) and then somehow, without logging in, get to your main form (the one after the login form).

3. Do web services have Authorize tags like asp.net mvc? Since I probably need something along those lines to ensure no one types in their web brower my webservice path and get access to all those methods I made in it.

4. I am making a asp.net mvc application right now and when the user types their credentials on my site. It is sent what I am guessing is clear text? to the server hashed and then checked. I know maybe one day when I can afford it maybe to get ssl to make it more secure.

So my question how about with sending the credentials from the phone to the server will it be less secure than what I have for my website right now? About the same? What can be done to make it more secure (is it SSL again?).

Thanks

Answer 1

You could also use SOAP headers to pass around user credentials or the authentication token. You can find an article on how to do this on Authentication for Web Services (using SOAP headers), but to summarize, you create a header class:

using System.Web.Services.Protocols;

public class AuthHeader : SoapHeader
{
    public string Username;
    public string Password;
}

You define a public property on the web service

public AuthHeader AuthenticationInfo;

and add some attributes to any web methods you would like to be only accessible to authenticated users:

[SoapHeader ("AuthenticationInfo", Required=true)]
[WebMethod]
public string HelloSecretWorld()
{
    if(!(AuthenticationInfo.UserName == "Hello" && AuthenticationInfo.UserName.Password == "World"))
        throw new AuthenticationException();

    return "Hello World";
}

The client code would look like:

MyWebService ws = new MyWebService();
ws.AuthenticationInfo = new AuthHeader {Username = "Hello", Password = "World"};
Console.Out.WriteLine(ws.HelloSecretWorld());

This way you don't need to modify the signatures of the methods to add authentication.