I'm interested to know what methods people use to secure their webservices from unauthorized web service consumers.
+1
A:
I usually require either a user id/password to be sent each time, or return a token from the first authenticated connection that can be used subsequently.
Nothing fancy. Pretty similar to standard web app login.
dommer
2009-04-01 22:05:25
+1
A:
I've used both SOAP headers and method parameters to pass user credentials -- .NET makes using the SOAP headers pretty easy, but I had issues with this using Java (several months back). I also do some IP-based filtering if the service is not intended for client (browser) use, but rather from backend web servers. Public, browser consumable web services are often protected by session cookies -- i.e, requires a valid logon to the web site, then the standard session authentication mechanism is used for requests via AJAX to web services.
tvanfosson
2009-04-01 22:14:42
+1
A:
There is a protocol specifically for web services security WS-Security. I've used parts of it in the past but at the time there was not a lot of support for it in .Net so it was a lot of work.
Currently with .Net I use SOAP Extension Headers. I have one web service call to authenticate and get a session token and then include that token in a SOAP header for every subsequent call, somewhat similar to this example. Of course all the request must travel over TLS to keep them from being compromised.
sipwiz
2009-04-01 22:16:24
A:
You can use network appliances such as IBM's DataPower or Vordel if you don't want to handle in your own application.
jm04469
2009-04-18 13:18:57