I would like to secure our webserives. However I am not entirely sure how this is done. Needless to say that I am pretty new to this. Here is what I would like to have. I would like to authenticate the user against lets say database/activedirecrtory or even a third party authentication. Now if the user is authenticated, I would like to use a token or principal (machine specific) and send that to the webservice. Is this possible? If yes, would the principle be sent out in clear text? Basically I am asking for guidance on how to implement security in webservices.
A:
Read up on HTTP Digest Authentication. If you set the highest QOP and use client nonce values, it's quite nice.
Your question is missing some really important architectural details. If you're using REST, then you must use something like HTTP Digest. You might also want to use SSL.
S.Lott
2010-02-01 20:56:27
Thanks for the quick response. For now I am using standard WCF Services. How would implement http digest authentication in a web/wcf-service?
vikasde
2010-02-01 21:00:43
+1
A:
If you're using WCF, then the default is to use the wsHttpBinding, which uses WS-Security. You then get to choose how to authenticate the user. I believe the default would be Windows authentication.
John Saunders
2010-02-01 21:03:44