Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Communicating with a Secured Web Service  RSS feed

 
swetha ma
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

My Java Web Application communicates with the back-end through web services.

All the back-end web services are secured and requires me to send either user name and password or BASIC authentication string in SOAP Headers for every call

In order to send BASIC Authentication string for every call, i 'm thinking to save the authentication string in session.

Could anyone guide me, if it is safe to save the authentication string in session

Thanks
Swetha
 
swetha ma
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
well, I figured out that this question is really not related to web service, but is about handling user credentials in web app. However I'm posting the solution i found, just in case if someone else needs

tradeoffs of using basic authentication

GET /secured/secure.html HTTP 1.1
.
.
Authorization: BASIC aG10aGVyZTplbmNvZGVk

Authorization field is in plaintext and, as we have seen, can be captured by a third party using a network monitor or any one of a number of other tools.

Once this plaintext is captured, the third party can either decode the user ID and password and attempt to use this information to log on to the system or replay the authorization string to retrieve pages from the server.

Solution:
To protect this information, the only real option is to use SSL or an equivalent secure protocol. Using basic authentication over an unsecured connection is extremely hazardous and allows a third party to possibly intercept the request and decode the user ID and password

Reference:
http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci997878_mem1,00.html?ShortReg=1&mboxConv=searchEnterpriseDesktop_RegActivate_Submit&

 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The proper way to secure a SOAP WS involves neither SSL nor Basic Authentication but WS-Security (which all major SOAP stacks support). The other approaches are less secure and have architectural drawbacks.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!