tags:

views:

92

answers:

4
+4  Q: 

Security and authentication in web services

Lets say we have a website that uses a web service for all of its functionality (i.e. retrieving and updating data from/to db), how does the web service authenticate requests?

As I understand it, in a traditional java "website" a user provides a username & password, and upon validation a jsessionid is assigned to the user (client browser). Every time the client browser asks the website for something, the site checks for the jsessionid ensuring that the user is registered and authenticated. Is there a web services equivalent of this? If yes, what?

+1  A: 

Usually for web services the most easy solution is using Basic Authentication. For something more complex, "Api Key\Token" are passed with each request to authorize\authenticate the users. Another solution is OAuth.

Twitter for example use Basic Authentication and OAuth.

Andrea  2010-04-19 22:26:03
A: 

The web service world is governed by the ws-* standards.

See WS-Security:

The wikipedia article gives a nice high-level overview, oasis is the official home of the standards, and provides the detailed specifications.

crowne  2010-04-19 22:54:38
A: 

Does your web service even need to be publically accessible?

You might not need to worry about complicated authentication schemes if there is no reason to allow public traffic from even reaching the web service.

matt b  2010-04-20 00:07:05
While not exactly "publicly" available there are a couple of situations that may be security issues. For example, lets say the web site uses javascript (i.e. dwr) or flex apps to communicate directly with the web service, rather than through the website. While the service is not "publicly" available a decent user can figure out from the javascript or flex at the very least the web service's address and try to mis-use that information. This is the issue I'm curious about.
King  2010-04-20 15:12:32
Since JavaScript and Flex are apps run on the client, then this would mean that your web service *is* publically available.
matt b  2010-04-20 16:30:37
A: 

This link should give you a good introduction. Look through chapters 4 through 6. HTH.

CoolBeans  2010-04-20 00:43:37

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?