views:

76

answers:

3

Hi

I am looking at this tutorial http://www.codeproject.com/KB/cpp/authforwebservices.aspx and I am wondering what the reason for using authentication through soap is? Like why not just pass the username and password through the parameters instead?

Is it more secure to do it like the way the guy is in the tutorial verus just using passing it through as parameters?

Thanks

+2  A: 

Because there are standards for authenticating WS-* SOAP Based Web Services.

WS-Security is the culprit at work here.

It allows for anything from username/password token authentication to X.509 authentication. You can also use the username/password or X.509 to encrypt the body of the SOAP message so that your information is harder to get at.

As a side note, .NET 2.0 has Web Service Extensions (WSE) 3.0 for this so you don't have to hand roll your own (which is what the author of your article did). In .NET 3.5 you would use WCF which has support for WS-Security built in.

Justin Niessner
You got any tutorials with WCF and this build in security? I also still don't why it is more secure could you not encrypt the username/password and send and still pass it in as a parameter.
chobo2
Here's a quick WCF tutorial that covers all the different methods for securing web services with WS-Security (it also discusses WHY you would want to): http://www.theserverside.net/tt/articles/showarticle.tss?id=SecuringWCFService
Justin Niessner
+1  A: 

Well, no, the way that guy is doing it does not add any extra security at all. However authentication via soap headers has several advantages when implemented correctly, using the WS* stack. The WS* stack is heavily based on X.509 certificates used for signing and encryption. One of the main advantages of this is that identities can be propagated from one service to another, without having to hold on to sensitive information such as username and password.

klausbyskov
You got any tutorials(in .net C#) that show this?
chobo2
A: 

check out SOAP Headers, which can be signed and encrypted when needed, and are supported by any (self-respecting) SOAP development environment...

Bob Swart