Web Service Authentication - which to choose?

J

Jonah Olsson

Dear All,

I've spent several hours googling the net for articles about Web Service
authentication - and yes, I found a lot :)
What I also found was that almost every described method I found had people
saying it's bad, and people saying it's good.

As the subject says, I'm having big trouble choosing the most accurate for
my application. Here's my thoughts so far:

The application is on shared hosting, so Basic authentication over SSL can
be eliminated since I can't disable Anonymous Access.

I want an easy, but secure way for our customers to gain access to the web
service. Also, I don't know what platform they're using, .NET, Linux etc.,
so Digest authentication or WS-Security might not be a good way since it's
not widely supported. (Correct me if I'm wrong)

The criteria made up on this page matches exactly ours:
http://www.developersdex.com/gurus/articles/146.asp?Page=5

I don't like idea of creating a login method with a token sent back at all.
This requires several round trips to the server when all I want is as little
round trips as possible. However, sending username and password with each
method call to validate the user, requires round trips to the SQL server as
well.
Web Services using sessions/HTTP-cookies seems non-secure since the session
might be hijacked (and token methods too). In this case sending username and
password for each method call sounds better.

Does this leave us with custom SOAP headers with/without SSL and username
and password for each call? What's left? Any ideas?


Thanks!

Regards,
Jonah Olsson
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top