How to secure a webservice - could some expert advise?
- From: "thomas" <tom@xxxxxxx>
- Date: Fri, 13 Oct 2006 03:36:47 GMT
Hi everybody,
Here is the scenario: webservice and a windows client application.
Requirements:
1. Only authenticated and authorized users shall be able to call web
methods.
2. User names or passwords shall never be sent over http.
Constraints:
3. Webservice cannot use Windows or LDAP authentication - users and their
passwords are stored in a SQL database.
4. The use of x.509 certificates is not an option - too expensive,
distribution impractical. Does this eliminate WSE? Perhaps, but this level
of security is NOT necessary.
Note: although that would be nice, communication does NOT have to be
encrypted. When really need, meaning when I have to start transmitting
credit card numbers etc, this perhaps could be accomplished using https.
Again, the solution does NOT have to be absolutely secure - it only has to
be "good enough".
I, of course, have some solutions in mind, but I would appreciate if some
expert who has REAL experience in implementing similar solutions could
provide advice or share some thoughts.
Thank you,
Tomasz
.
- Follow-Ups:
- Re: How to secure a webservice - could some expert advise?
- From: Andy Kendall
- Re: How to secure a webservice - could some expert advise?
- From: Pablo Cibraro [MVP]
- Re: How to secure a webservice - could some expert advise?
- Prev by Date: Re: Enumeration in WebService
- Next by Date: Re: wsdl /sharetypes and xmlinclude
- Previous by thread: Re: Enumeration in WebService
- Next by thread: Re: How to secure a webservice - could some expert advise?
- Index(es):
Relevant Pages
|
