This week's book giveaway is in the JavaScript forum.
We're giving away four copies of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js and have Paul Jensen on-line!
See this thread for details.
Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

web service - security  RSS feed

 
Rama Raghavan
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When I make a web service available over the internet, I presume the interface should also (almost always) expect credentials from the caller..
1. Since it is a stateless communication, should every call pass credentials and the server validate it at every invocation, or is there any form of session ID returned with first call for use by subsequent calls..
2. Is SSL sufficient to secure credentials when making web services available on the internet..?
Just to get a pulse of industry best practices..
TIA -
Rama
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. Since it is a stateless communication, should every call pass credentials and the server validate it at every invocation, or is there any form of session ID returned with first call for use by subsequent calls..

Yes, you need to pass either credentials or a "custom" session ID. That is, unless your platform provides proprietary session management for Web Services. I might be wrong, though, as my experience on Web Services platforms is limited.

2. Is SSL sufficient to secure credentials when making web services available on the internet..?

Yes, SSL is fine for that purpose and already has industry-wide support.
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, there is an industry-standard set of protocols for passing credentials called WS-Security that explicitly allows credentials (in a number of formats) to be passed inside the SOAP message itself. The problem with just using SSL is that it's tied to a particular transport -- which is OK if you have no Web Services Intermediaries, but problematic if you move you SOAP message from one transport to another.
Kyle
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Kyle Brown:
Actually, there is an industry-standard set of protocols for passing credentials called WS-Security ...

Are there implementations (toolkits/SDKs) available for WS-Security?
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See the IBM Web Services Toolkit for an implementation of WS-Security.
Kyle
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Kyle Brown:
See the IBM Web Services Toolkit for an implementation of WS-Security.

Thanks. I actually bumbed into the same reference (to WSTK) a couple of hours ago in an IBM article on the Web Services Gateway...
If I use WSTK for security and later on decide to switch the provider, how much code changes am I facing?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!