How to secure a web service in c# 2.0 and make it easy for any platform to consume

How to secure a web service and make it easy for any platform to consume.

Setup: Asp.NET 2.0, Dot Net 2.0, c# 2.0, Visual Studio 2005. Web server is IIS and uses https (SSL)

1. I would like to avoid in开发者_如何转开发stalling anything like WSE 3.0. I prefer a pure c# method I can take with me to future versions of Visual Studio and IIS.
2. Everyone should be able to still visit the web service URL and description and see the WSDL without authentication.
3. The securing will help to stop people from sending junk to our web service methods.
4. Easy implementation: I do not want to manage certificates for clients or install anything.
5. client only sends a username and password.

Does this mean SOAP header authentication is the only way then? I found these links but don't know if they will work for non .NET clients?

http://aspalliance.com/805 and http://www.codeproject.com/KB/webservices/SOAPHeaderAuthentication.aspx

I also see this article but don't know if and how to implement it (not a very good example).

Please advise or give me a good link (no videos please). Thanks!

Your best bet would be to upgrade to WCF as built-in options are much better there. If you are stuck in 2.0/SOAP land, then a custom SOAP header will work from most platforms -- I've successfully used them from .NET, COM+ and PHP before. You can back the user/pass with the typical ASP.NET authorization bits including the sql database. That said, if the point of security is to cut down on spam and you don't have that vast an array of service methods to "secure" then you might just want to add a "UserKey" parameter to your method then verify (or at least rate-limit) against that.

1. You should upgrade your solution to the WCF. If you can, you can easily select the Credential Type for your clients. See also Securing WCF Service article
2. SOAP headers will work for non-.NET clients, if they can construct needed xml for request.
3. Use this article for easy example of SOAP Header using.

Is basic authentication in IIS not sufficient? It's easy for service consumers to pass basic authentication parameters with a request.