none
Http Header authentication basic vs soap header WS-security? RRS feed

  • Question

  • Which one is better or more secure? easier to implement for clients? (.net and non. net)
    Basically what are the pons and cons?

    Http Header authentication basic is consumed more on xml webservices (asmx) and WS-security is more convenient for WCF web services. But my client asks me if they can use basic authentication. I need to convince them with valid arguments. they are non-.net clients.

    sample: 

    **http request auth:**

    Accept-Encoding: gzip,deflate
    Content-Type: application/soap+xml;charset=UTF-8;action="url"
    **Authorization: Basic asmjasdjkengldflg==**
    Content-Length: 2053
    Host: localhost:44300
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

    **soap header ws-security:**

            <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
           <soap:Header><wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-D304B11AEEB9C8E06C141036194789215"><wsse:Username>myUser</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">myPass</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">aye7UQXblrmENx6pbzxQdQ==</wsse:Nonce><wsu:Created>2014-09-10T15:12:27.892Z</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header>


    "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."

    Tuesday, October 7, 2014 3:27 PM

Answers

  • Hi emil_tr,

    For the difference between the Http Header and soap header, please try to refer to the following information which comes from here:

    The SOAP headers contain application specific information related to the SOAP message. They typically contain routing information, authentication information, transaction semantics etc. These are specific to the SOAP message and are independent of the transport that SOAP uses (in the scope of this post: HTTP).

    HTTP headers define the operating parameters of the HTTP transaction, like the content type of what's getting transmitted, the content length of it, cache directives for clients or proxies etc. These are specific to HTTP and are independent on what actually gets transmitted with HTTP (in this case the SOAP XML).

    You could off course use both HTTP headers or SOAP headers to provide application specific information about the SOAP message. The SOAPAction HTTP header was a move in this direction for SOAP 1.1. Although it was useful for servers to efficiently route the messages without the need to look inside the SOAP XML (sometimes impossible if the message is encrypted and only the final receiver knows how to decrypt it) it mostly caused confusion and was later removed in SOAP 1.2 (and in its place is an optional action parameter on the application/soap+xml media type, which again is a value in the HTTP headers... oh well... :D).

    As a conclusion, SOAP headers and HTTP headers are not the same. Although to some extent you might substitute SOAP headers with user defined custom HTTP headers, it is most of the times a bad idea.

    If the data is for the web service then it should be placed inside the SOAP headers. HTTP headers usually stop at the web server while the SOAP message in it's entirety will be passed downstream to the ultimate receiver who needs the data (maybe even passing through more intermediaries who they might also need it).

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, October 9, 2014 7:14 AM
    Moderator

All replies

  • Hi emil_tr,

    For the difference between the Http Header and soap header, please try to refer to the following information which comes from here:

    The SOAP headers contain application specific information related to the SOAP message. They typically contain routing information, authentication information, transaction semantics etc. These are specific to the SOAP message and are independent of the transport that SOAP uses (in the scope of this post: HTTP).

    HTTP headers define the operating parameters of the HTTP transaction, like the content type of what's getting transmitted, the content length of it, cache directives for clients or proxies etc. These are specific to HTTP and are independent on what actually gets transmitted with HTTP (in this case the SOAP XML).

    You could off course use both HTTP headers or SOAP headers to provide application specific information about the SOAP message. The SOAPAction HTTP header was a move in this direction for SOAP 1.1. Although it was useful for servers to efficiently route the messages without the need to look inside the SOAP XML (sometimes impossible if the message is encrypted and only the final receiver knows how to decrypt it) it mostly caused confusion and was later removed in SOAP 1.2 (and in its place is an optional action parameter on the application/soap+xml media type, which again is a value in the HTTP headers... oh well... :D).

    As a conclusion, SOAP headers and HTTP headers are not the same. Although to some extent you might substitute SOAP headers with user defined custom HTTP headers, it is most of the times a bad idea.

    If the data is for the web service then it should be placed inside the SOAP headers. HTTP headers usually stop at the web server while the SOAP message in it's entirety will be passed downstream to the ultimate receiver who needs the data (maybe even passing through more intermediaries who they might also need it).

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, October 9, 2014 7:14 AM
    Moderator
  • so basically there arent significant advantages over each other. Just the different way of usage or purpose. I am having soap 1.2, Can i still implement http header authentication? 

    "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."

    Thursday, October 9, 2014 2:33 PM
  • Hi emil_tr,

    Yes, we can impement http header authentication. Please try it.

    Thank.

    • Proposed as answer by dns jinung Thursday, October 16, 2014 10:14 AM
    Thursday, October 16, 2014 10:14 AM