• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Web service Security

 
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am new to web services. I would like to know if it is required or optional to do authentication while invoking a web service.

Thank you,
-Shruti
 
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!
It depends on the web service you are trying to call. If the web service require authentication, then the client must supply authentication credentials.
It is optional to implement authentication in a web service - you can have web services without any kind of authentication. Authentication may not be necessary if the web service is published to a private network.
Best wishes!
 
Shruti Sharma
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks a lot for the reply! How does client know about the credentials? Are these credentials provided by the web service we want to connect to? Where are these credentials stored?

Thanks again,
-Shruti
 
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The credentials are stored on the server where the WS runs. Of course the WS does not give them out - the client must know them beforehand. Wouldn't be much security otherwise, would it?
 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

just a follow up question. if the the WS-Security implementation uses Keys. how would the service know which client is accessing him. I mean if each of the client has different key (unique for everyone) and the service has only one service.key to signed all the clients. please enlighten.

thanks.
 
Ivan Krizsan
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!
There are two options available (as far as I know) concerning keys:
- If you use a symmetric cipher, then the clients and server share a common secret key which can be used to encrypt/decrypt and/or sign messages.
- If you are using an asymmetric cipher, then the server must have the public keys of all the clients, in order to be able to determine if a client's private key has been used to encrypt and/or sign some data.
Hope this answers some of your questions!
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As mentioned in the other topic where you asked about this, encryption is not the same as authentication. If you need to authenticate, then you should use a UsernameToken in addition to encrypting.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic