We have a service that processes authorization based on username and password. Instead of making the username and password part of the call, we put it in the SOAP header.
In a typical scenario, the web service calls the authorization service at the start of execution to check if the caller is allowed to call. The problem is that some of these web services call each other, and this will mean that the user rights are checked with each sub-boot, and this can be very expensive.
What I thought about getting the authorization service to return the security token after the first call. Then, instead of calling the authorization service, each time the web service can locally check the security header.
The security header looks something like this (C # code is truncated to illustrate the basic concept):
public sealed class SecurityHeader : SoapHeader
{
public string UserId;
public string Password;
public DateTime TimeStamp;
public string SecurityToken;
}
The general idea is that SecurityHeader is checked on every call. If it exists, it has expired, and the SecurityToken is valid, then the web method works as usual. Otherwise, it will either return an error or try to re-authorize and create a new SecurityHeader
SecurityToken is based on the salt hash of UserId, Password, and TimeStamp. Salt changes every day to prevent repetitions.
, , , - A, - B. A , , , B . , - -, -, .. , A, B, , A, D. - ( ) . (.. A, B).
, . , .
Edit:
, WS-Security SAML .. . , WS-Security. , ( ). - , , . , . , .
, , , .