The authentication mode can be any of the following values: "   none No authentication is performed. "   Windows Use Windows integrated authentication. This can be in the form of HTTP Basic or Digest authentication or NTLM. "   Passport Uses Microsoft Passport to authenticate users. This is not a valid method of authentication for XML Web Services. A client with a user interface can use this data to identify the user via some custom methods. "   Forms This form of authentication embeds the username and password in a cookie. If the cookie is not present, the user is redirected to a page where he or she can log in. Like Passport, this method will not work with XML Web Services. It can be used to identify the user and then use some other method to authenticate the user with the identity information. Now, lets see how all these different methods can be used. Application Level Authorization At times, it may make sense to provide your own authentication mechanisms. Some of the reasons to do so include the following: "   Your Web Service is running on a corporate intranet and you want to grant access to departments, not individuals. You also can assume that all users are legitimate. "   Clients already are using credentials you manage for other items (for example, customer ID and password). "   Integration with other authentication systems does not make sense for your application. Whatever the reason, creating your own authentication mechanism is possible. All I present here is a recommended way to accomplish this task. Credentials are useful for establishing ownership of data, rights to view or manipu- late data, and for tracking Web Service usage. Regardless of how they are used, the credentials are out-of-band data. By out-of-band, I mean that the information on the entity calling a particular Web Method is extra. In a typical programmatic API, you would get user identity by calling some operating system-specific functions and would never make this data part of the function signature. With a Web Service, you cannot always do this. However, you can keep the credentials out of the actual func- tion signature. To do this, require that the client send the credentials in the SOAP Header. CHAPTER 6 Security Issues with Web Services 150 09 1564 CH06  4/30/02  8:50 AM  Page 150