How do i authenicate users with SOAP ?
Will i have the user require to send his username/pass with every SOAP request and i authenticate him against the database ?
Doesn't that seem to cause unnecessary queries ?
+3
A:
An easier way would be to authenticate on the first query, build a session record on the server side containing the remote IP address and a token that you give to the client as an authToken. Then have the client pass this authToken in future queries. This authToken has to match the internal session data you keep about the client, but would allow you to avoid having to make round-trips to the database just to do authentication.
That said, @Marcus Adams has a good point below with regard to stateless-ness. There are people out there pushing all sorts of SOAP security models. WS-Security is the current state of the art, here. They all work by putting authentication information in the SOAP header - after all, that's why a SOAP message contains both a header and a bodypart.
Chris Kaminski
2010-04-29 13:34:01
This is the usual way as far as I know. It would also allow the sign-in to have a SSL encrypted endpoint (to obtain the key) and use non-encrypted endpoints for data requests (if the data may be send unprotected of course).
extraneon
2010-04-29 13:51:00
+1
A:
Having the user send the username and password with each request is the way that I've seen most SOAP interfaces implemented. Actually, I've not seen any other implementation other than the API key idea, which is just trading a Username and Password for some other token.
SOAP interfaces should be stateless, like HTTP, so this seems like a normal consequence.
Marcus Adams
2010-04-29 13:34:50
+2
A:
Define a custom SOAP header and exchange authentication credentials in the header. Read values from header and authenticate.
this. __curious_geek
2010-04-29 13:35:20