Forums Register Login

Communicating with a Secured Web Service

+Pie Number of slices to send: Send

My Java Web Application communicates with the back-end through web services.

All the back-end web services are secured and requires me to send either user name and password or BASIC authentication string in SOAP Headers for every call

In order to send BASIC Authentication string for every call, i 'm thinking to save the authentication string in session.

Could anyone guide me, if it is safe to save the authentication string in session

Thanks
Swetha
+Pie Number of slices to send: Send
well, I figured out that this question is really not related to web service, but is about handling user credentials in web app. However I'm posting the solution i found, just in case if someone else needs

tradeoffs of using basic authentication

GET /secured/secure.html HTTP 1.1
.
.
Authorization: BASIC aG10aGVyZTplbmNvZGVk

Authorization field is in plaintext and, as we have seen, can be captured by a third party using a network monitor or any one of a number of other tools.

Once this plaintext is captured, the third party can either decode the user ID and password and attempt to use this information to log on to the system or replay the authorization string to retrieve pages from the server.

Solution:
To protect this information, the only real option is to use SSL or an equivalent secure protocol. Using basic authentication over an unsecured connection is extremely hazardous and allows a third party to possibly intercept the request and decode the user ID and password

Reference:
http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci997878_mem1,00.html?ShortReg=1&mboxConv=searchEnterpriseDesktop_RegActivate_Submit&

+Pie Number of slices to send: Send
The proper way to secure a SOAP WS involves neither SSL nor Basic Authentication but WS-Security (which all major SOAP stacks support). The other approaches are less secure and have architectural drawbacks.
I'm sure glad that he's gone. Now I can read this tiny ad in peace!
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com


reply
reply
This thread has been viewed 825 times.
Similar Threads
Java program protection.
Help needed to call a web service after TAM authentication - (401)Unauthorized
does a web-service have a state?
REST security
can i get the row http request data from tomcat
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 29, 2024 00:17:38.