tags:

views:

89

answers:

2
+4  Q: 

Persisting web service passwords

I'm not a security guy so any help on this would be greatly appreciated.

I have a large number of third-party field devices that have remote methods that can be called across xml-rpc using ssl. For each method call, a username and password must be transmitted in plain text as parameters along with any other method parameters. I have no control over the devices or their implementation.

I'm currently writing a web application that a user would log into and then have access to some number of those field devices. The user doesn't need to know what devices they are connecting to, they just need the data. As such, I need to persist the username and password for each device in a database where they can be retrieved when an rpc call needs to be made.

How do I encrypt my device service passwords so that they can be decrypted when a call needs to be made? How do I decrypt the password when a call needs to be made?

I'm using Java and Spring for the application.

Note, I am not asking how to persist the user's login password.

A: 

We solved similar problems with this code.

You would use the password the users log into your web application with as key when encrypting the usernames and passwords for the other services.

jonalv  2009-11-19 16:46:24
Each service has one username/password pair. There is a many-to-many relationship between users and the services they will access. So I can't use one user's password to encrypt the service username and password because another user will most likely need access to that service.
LostHisMind  2009-11-19 17:02:16
+1  A: 

If I have this right, there is only one username/pswd per field device (though each is different and there are many field devices).

Build a secure proxy service with access to all device passwords. The device passwords can be stored encrypted with proxy service's public key. Your web app presents user key to proxy service which (assuming satisfied) talks to field devices on their behalf. CryptoApi or one of its wrappers should be all you need.

You don't comment on numbers, but given proxy would be stateless, it should scale ok.

 2009-11-19 19:57:51

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?