tags:

views:

32

answers:

1
Q: 

what authentication should I use for my web service in this case?

Hi I am going to do a web service. Now our customers are going to be able to call the method from their interface. I been thinking what I should do for authentication, I been reading and can not really decide. I want to pass username and password to the method.

Do you got any advice?

+1  A: 

Common authentication schemes are well-defined and, while not perfect, are known entities. The worst thing you can do is "roll your own" in security.

I assume by your comment "pass username and password to the method", you mean you would like to have access to the credentials used to access your web service. This is fine, but don't pass credentials as parameters to your method.

Based on your description, basic authentication over SSL should provide you sufficient protection for your application. This would work in a non-trusted environment (i.e. across unknown networks) and should be easy enough to implement on the client-side.

jro  2010-03-11 16:59:08
So the basic authentication with the SSL certificate instead of the passing credentials to the method? Why should I not pass credentials to the method? Thanks for answer jro
Dejan.S  2010-03-11 21:58:46
Passing credentials to the method causes unmasked credentials in either the body of the message (if it's a POST) or as parameters on the URL itself (if it's a GET). In both cases, the information is being sent in the clear and is bad form. Basic auth at least gets you some level of encoding (not encryption, mind you) and embeds the credentials in headers to the request.
jro  2010-03-11 23:42:06
Ok but I have to somehow find out what user is it that request the web service in order to return the right info for each user. Would it be a good idea maybe to pass a guid/encrypted pass and then I do a for each on all the users to find the right match and that way to get the right info?
Dejan.S  2010-03-12 01:19:50
Depends on your implementation. I assume from your tags that this is built in asp.net. You have 3 options: ASMX (legacy), WCF, or roll-your-own (don't do this.) My suggestion: go with WCF. ASMX will be "easier" to understand out of the gate, but WCF is where you should spend your time. Read up on "transport authentication" in WCF. That should get you started.
jro  2010-03-12 16:43:55

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?