I'm having problems creating a web service that takes a username and password and checks against a database

Question

I am developing a web service that authenticates a user trying to access a web application. I'm new to web services and have seen a lot of different APIs and have started using JAX WS. Im not sure if this is an alternative to JAXB or if it should be used with it.

Currently I have a test page that a user can enter their username and password and this is the n sent to the web service as strings (which obviously cant happen for security reasons) where I can check against a database. My problem is finding a way to send the password securely..

The reason I am not putting the authentication within the application is because there will be several applications all using the same database to authenticate users so a web service would be beneficial.

Also, I had hoped I would be able to pass the web service an xml file instead of string but it seems this is not possible?

Thanks

Answer 1

Use SSL. Passing an encrypted password is not any more secure (and arguably less secure) since anyone intercepting the transmission can send call your webservice again with the encrypted password and your web service is none the wiser.

Of course, in your web service you should be salting and hashing the password before storing it.