J
Jonah Olsson
Dear All,
I've spent several hours googling the net for articles about Web Service
authentication - and yes, I found a lot
What I also found was that almost every described method I found had people
saying it's bad, and people saying it's good.
As the subject says, I'm having big trouble choosing the most accurate for
my application. Here's my thoughts so far:
The application is on shared hosting, so Basic authentication over SSL can
be eliminated since I can't disable Anonymous Access.
I want an easy, but secure way for our customers to gain access to the web
service. Also, I don't know what platform they're using, .NET, Linux etc.,
so Digest authentication or WS-Security might not be a good way since it's
not widely supported. (Correct me if I'm wrong)
The criteria made up on this page matches exactly ours:
http://www.developersdex.com/gurus/articles/146.asp?Page=5
I don't like idea of creating a login method with a token sent back at all.
This requires several round trips to the server when all I want is as little
round trips as possible. However, sending username and password with each
method call to validate the user, requires round trips to the SQL server as
well.
Web Services using sessions/HTTP-cookies seems non-secure since the session
might be hijacked (and token methods too). In this case sending username and
password for each method call sounds better.
Does this leave us with custom SOAP headers with/without SSL and username
and password for each call? What's left? Any ideas?
Thanks!
Regards,
Jonah Olsson
I've spent several hours googling the net for articles about Web Service
authentication - and yes, I found a lot
What I also found was that almost every described method I found had people
saying it's bad, and people saying it's good.
As the subject says, I'm having big trouble choosing the most accurate for
my application. Here's my thoughts so far:
The application is on shared hosting, so Basic authentication over SSL can
be eliminated since I can't disable Anonymous Access.
I want an easy, but secure way for our customers to gain access to the web
service. Also, I don't know what platform they're using, .NET, Linux etc.,
so Digest authentication or WS-Security might not be a good way since it's
not widely supported. (Correct me if I'm wrong)
The criteria made up on this page matches exactly ours:
http://www.developersdex.com/gurus/articles/146.asp?Page=5
I don't like idea of creating a login method with a token sent back at all.
This requires several round trips to the server when all I want is as little
round trips as possible. However, sending username and password with each
method call to validate the user, requires round trips to the SQL server as
well.
Web Services using sessions/HTTP-cookies seems non-secure since the session
might be hijacked (and token methods too). In this case sending username and
password for each method call sounds better.
Does this leave us with custom SOAP headers with/without SSL and username
and password for each call? What's left? Any ideas?
Thanks!
Regards,
Jonah Olsson