mibuso.com

Hello,

I'm trying to create a web application (extranet) allowing to access Nav data on our website.
For this purpose I created a webservice. All is ok and I can use Nav methods.

The second step is to secure the access to the webservice.
How would you do this ? And how can I allow access to specific user outside of our domain for specifi methods... ? (for instance : specific customer, etc.).
Do I have to create another Webservice to identofy which users can access the webservice ?

I have no idea at all how it could work.

1) Can you give me some information, links or tutorial please ?
2) Is it possible to use soap Header with a webservice published from Nav 2009 R2 ?
3) Where can I see the content of the webservice published (I can't fnd any .asmx file in the nav installation folder) ?
4) Would you use WCF in place of Webservice ? Is it possible with NAV 2009 R2 ?

All your advices are welcom !

Thanks a lot.

Access to the web service is secured automatically, you don't need to do anything specifically to secure it further. Any web service calls are always executed in the context of the user who has authenticated against them.

To answer your 4 questions:

1) Try the tutorials that come with NAV help. Check out Freddy's blog. Check out also my blog - I have delivered a Brown Bag session once about web services, and there is a post on my blog with a download to the session, with lots of examples there
2) Web services in NAV use SOAP. Whenever you call them, it's SOAP. They don't support any other protocol
3) You can't see any .asmx files, because Web services in NAV don't use IIS. They are a standalone WCF service. WSDL of any of them is accessed by simply navigating to the service URL.
4) It does use WCF - they are WCF-based services, not IIS based. If you are asking about consumption, check my latest blog series on the differences of consuming the web services through service references and web references.

I hope this helps.

First of all, thank you for your quick and concise reply. It helped me.
I read articles from Freddy's blog. It was very helpfull for my understanding. Thanks

But I have one more question.

Freddy wrote this at the end of his article on :



Does he mean other users in our domain (active directory) ? That's it ?
My final goal is to provide to some customers the access to only specific methods of the webservice. So, in this case, the customer go to our website, log in in an administration window and can view for example the list of their own ledger entries, etc.

1) Can you give me more details, steps or links in order to achieve this ?
2) How manage rôle and permissions on the webservice methods ?
3) How manage customers username and password on our internet site ?

I hope my explanations are clear.

EDIT : I'm currently watching your brown bag session

Thanks.

Validation of customers and other web users should be handled by your website.
The user where the website runs under should make the calls to the NAV webservice.
You should store the customer number on your website, and link them to the correct webuser.
Then all the calls made to the webservice on nav should have that customer number as parameter.
You're searching too far if you want to grant customer by customer access to NAV, because that will increase your licensed calls.
Your webservice should not be restricted, it's the website that should limit the possible calls by a web user.

After reading the question again, and then Sogs reply, and then your question again, I now believe that I've misunderstood your initial question. What Sog says is what you need to do.

To answer your 3 questions:
1) Your web site code (e.g. ASP.NET) should handle who does what - it has nothing to do with NAV security here.
2) For page web services, the same way as you would control access to pages. For codeunits, whoever can run the codeunit, can run any method in it. This applies to extension codeunits as well.
3) As Sog said - create your own separate database for this. This should not be handled or controlled by NAV.

Where I disagree with Sog, you don't need to worry about licensed calls. Web services calls don't increase the number of licensed calls. As far as I know, no license counting is done for Web services calls, except maybe basic checking if you have a Light User, ESS user or External Connector license - which I can't prove because I don't have a license without these.

For point 2 in the previous post, I would like to add that you can use NAV 2009 R2's permission system to achieve the object and record level security. Please refer to http://msdn.microsoft.com/en-us/library/dd355101.aspx for help.