Out of the box, WSS 3.0 and MOSS 2007 install a number of ASP.NET web services.  Many people think SharePoint can only be used via the browser, but these services enable rich client applications, or other web services, to access SharePoint's storage engine too.  Some of these built-in web services are related to security, and I thought it would be good to look at these.  All of these services are found at a URL that looks like...

http://<server>/_vti_bin/<service>.asmx

Authentication.asmx

The SharePoint web services don't use any SOAP-level security.  They are hosted in IIS and therefore you can expect to authentication using whatever scheme IIS is configured to use.  Normally this will likely be Windows authentication, but whatever scheme is used in IIS, you will supply credentials in your HttpWebRequest (or whatever mechanism you use to invoke the service).

Sometimes SharePoint is configured to use a non-IIS authentication mechanism, such as ASP.NET Forms authentication, or Windows Live ID.  For Forms Authentication you can use the Authentication web service.  It has a Login operation whereby you can supply credentials, and if successful an HTTP cookie is included in the response.  You can use that cookie in subsequent requests to access web services in an installation that's using Forms Authentication.  For Windows Live ID authentication you'll need to refer to the Live ID SDK for web apps.

The authentication web service also has a Mode operation that lets you find out what kind of authentication is in use by SharePoint: Windows Authentication, Forms Authentication, or Windows Live ID Authentication.

People.asmx

If you've used SharePoint much you'll know that wherever you can enter a user account name there's usually a button that allows you to check that name against SharePoint's membership database.  To achieve the same thing from your own client you can use an operation called ResolvePrincipal on the People service.  There's also an operation called SearchPrincipals that you can use to look up people in the membership database.  Actually, when I say "membership database", that could mean lots of different things, based on the authentication scheme that SharePoint's using.  It could be users in Active Directory, or it could be custom ASP.NET membership provider being used with ASP.NET Forms Authentication.

UserGroup.asmx

SharePoint allows us to define groups, which can be used across multiple sites, and roles, which only exist inside a specific site.  They both refer to a logical grouping of users.  This web service allows you to create and delete them, as well as assign users to them, list the users already in them, etc.

Permissions.asmx

You all know how permissions work: a user (or more generally a principal) is given certain rights to access a specific resource.  This web service allows you to define which rights a principal has to access either a site or a list.  The rights themselves are chosen from a fairly fine-grained set, defined in the Microsoft.SharePoint.SPRights enumeration.

This service also allows you to get the collection of all permissions currently defined for a given site or list, change some of those permissions, or remove them.

SharePoint without the Browser

Many people view SharePoint as a web app that you use via the browser, but fundamentally it's a storage engine that uses a SQL Server database to manage all kinds of content.  It is quite possible to build rich client applications that interact with this storage engine, via the web services.  Equally these web services allow other applications to integrate nicely with SharePoint.