none
REST And SOAP Security RRS feed

  • Question

  • Hi,

    I have created few services whick can be used via SOAP, REST/XML and REST/JSON on https. Everythings works well.
    I would like to securize it with login/pwd from my database to not allowed anonymous user.

    I am totaly lost, i read a lot of things and i am more confused.

    Someone have an easy solution regarding my problem ? How can i implement it to secure my services ?

    Best regards

    Dave

    Wednesday, April 6, 2011 9:27 AM

Answers

  • it depends which library you used for REST. here is one way:

    http://weblogs.asp.net/cibrax/archive/2009/03/20/custom-basic-authentication-for-restful-services.aspx


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    • Marked as answer by Yi-Lun Luo Tuesday, April 12, 2011 9:03 AM
    Thursday, April 7, 2011 2:30 AM
  • Hello, if you want to support username/password authentication, in most cases, you need different solutions for SOAP and REST. For SOAP services, you can use WCF's built-in message security with a custom username password validator. You can also use WIF if you need to support federation in the future. For REST services, generally you will leverage the Authorization HTTP header. First the client makes a normal request to the service (usually via HTTPS to protect the credential) to perform authentication (for example, put the username/password in the request body). After that, the service generates a token and sends it to the client. In future requests, client include the token in the Authorization header. The token should be well designed so it can't be hacked. For example, it should be invalidated after a few hours.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    • Marked as answer by Yi-Lun Luo Tuesday, April 12, 2011 9:02 AM
    Friday, April 8, 2011 2:13 AM

All replies

  • it depends which library you used for REST. here is one way:

    http://weblogs.asp.net/cibrax/archive/2009/03/20/custom-basic-authentication-for-restful-services.aspx


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    • Marked as answer by Yi-Lun Luo Tuesday, April 12, 2011 9:03 AM
    Thursday, April 7, 2011 2:30 AM
  • Hello, if you want to support username/password authentication, in most cases, you need different solutions for SOAP and REST. For SOAP services, you can use WCF's built-in message security with a custom username password validator. You can also use WIF if you need to support federation in the future. For REST services, generally you will leverage the Authorization HTTP header. First the client makes a normal request to the service (usually via HTTPS to protect the credential) to perform authentication (for example, put the username/password in the request body). After that, the service generates a token and sends it to the client. In future requests, client include the token in the Authorization header. The token should be well designed so it can't be hacked. For example, it should be invalidated after a few hours.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    • Marked as answer by Yi-Lun Luo Tuesday, April 12, 2011 9:02 AM
    Friday, April 8, 2011 2:13 AM