tags:

views:

191

answers:

2
Q: 

Cross-Platform Web Services Authentication

I'm working on a project where we have several SOAP Web Services developed on different programming languages, like Java, Perl and Python. I need to authenticate users that will use each Web Service, denying users that we do not want.

I have already seen OAuth, but I didn't found any documentation that helped me on this way. And with OAuth, I have to program each Web Service (with different programming languages) to work with it.

I want to know what is the best way to accomplish this requirements.

There's any way to make what I want using HTTP Digest Authentication? And which one is a better solution? OAuth or WS-Security?

Thanks in advance, Ukrania

+2  A: 

You've got quite a bit of research ahead of you.

You'll want to learn about Federated Security:

Definition of Federated Security

Federated security allows for clean separation between the service a client is accessing and the associated authentication and authorization procedures. Federated security also enables collaboration across multiple systems, networks, and organizations in different trust realms.

WCF provides support for building and deploying distributed systems that employ federated security.

For WCF information on that, see Federation and Issued Tokens. You may also be interested in the MSDN Magazine article, "Geneva Framework, A Better Approach For Building Claims-Based WCF Services.

FYI, the search I used to find these is http://social.msdn.microsoft.com/Search/en-US/?Refinement=117&Query=federated+security+in+wcf.

John Saunders  2009-07-14 22:57:41
Yes i know about WCF, but this is for .NET, and my priority is open source languages, I will only use C# locally for alternate Web Services. I'm looking for a solution that fits all languages.
ukrania  2009-07-14 23:08:09
Sorry, I'm confused. You said "SOAP Web Services developed on different programming languages, like C#". WCF _is_ for .NET. Also, if you read about Federated Security, you'll see why I recommended it - it's exactly what you want to tie together all of your platforms.
John Saunders  2009-07-14 23:13:02
A: 

Hi Ukrania,

If you're looking for interoperability you should start with the OASIS Web Service Security standard. You can get a few more links on Wikipedia.

You may have to do some work to get all the implementations playing well together though... your Java and C# code should be easy to get working, but there's no comprehensive Python solution that I'm aware of.

Michael

Michael van der Westhuizen  2009-07-14 23:01:42
Just to be clear for Ukrania, WCF supports WS-Security.
John Saunders  2009-07-14 23:02:50
I'm trying to avoid the implementation of the same solutions on different languages, I know that for OAuth and WS-Security I need to do that. There's any way to make what I want using HTTP Digest Authentication? And which one is a better solution? OAuth or WS-Security?
ukrania  2009-07-14 23:15:44
I don't know these other platforms, but you won't be writing any code to implement any of these with WCF. These features are built in, and need little other than configuration.
John Saunders  2009-07-14 23:20:13
WCF could support it... but I can't control the technologies that my partners are using. So, I need to secure Web Services made on other languages than C#. I had changed the question because C# is only used on Web Services that don't makes part of the core of the project.
ukrania  2009-07-14 23:48:08
If you think you would need to implement Federated Security on your own for the other platforms, then you might find that you are mistaken. Toolkits may already exist. Same for WS-Security, BTW. Of course, if your security needs are not high, then perhaps username/password security over SSL would be adequate.
John Saunders  2009-07-15 00:06:40
I already know libraries to make WS-Security on several languages. And for WCF? Could you give me some links? Its possible, for example, to make a WS on java using WCF?
ukrania  2009-07-15 00:10:02
Last note: see if this helps you: http://www.sourceid.org/
John Saunders  2009-07-15 00:10:14
WS-Security is the default with WCF. Every service you create starts off using WS-Security.
John Saunders  2009-07-15 00:10:56
Thanks. Basically, WCF is one implementation of WS-Security on .NET, like WSS4J on Java. So you think that WS-Security is the best solution for me. I'm right?
ukrania  2009-07-15 00:14:44
@ukrania Yes, WS-Security is implemented by all of the mainstream toolkits in some form as a method for interoperable security. John's statements about WCF are all true in that it provides WS-Security, and in doing so should be interoperable with any other toolkit providing WS-Security.John's notes on federated security are also interesting, and you may find yourself needing to go down this route, but start with WS-Security alone and see if it fulfils your requirements.
Michael van der Westhuizen  2009-07-15 07:08:39
Thanks for your quick answers, I will try to get some information about Federated Identity, after some research, I think that this can be the best solution for me.
ukrania  2009-07-15 14:15:39

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?