Security and authentication in web services

Question

Security and authentication in web services

Suppose we have a website that uses a web service for all its functions (for example, to retrieve and update data from / to db), how does a web service authenticate requests?

As I understand it, on a traditional java website, the user provides a username and password, and after checking, jsessionid is assigned to the user (client browser). Each time the client browser asks the site about something, the site checks the jsessionid, ensuring that the user is registered and authenticated. Is there an equivalent web service? If so, then what?

+7

java web-services

King Apr 19 '10 at 22:16

source share

3 answers

Andrea · Answer 1 · 2010-04-19T22:26:03+0000

Typically for web services, the easiest solution is to use Basic Authentication. For something more complicated, "Api Key \ Token" is sent with each request for authorization / authentication of users. Another solution is OAuth.

Twitter, for example, use Basic Authentication and OAuth.

crowne · Answer 2 · 2010-04-19T22:54:38+0000

The world of web services is governed by ws- * standards.

See the WS-Security section:

The Wikipedia article gives a good overview at a high level, the oasis is the official home of standards and provides detailed specifications.

matt b · Answer 3 · 2010-04-20T00:07:05+0000

Perhaps your web service should be publicly available?

You may not have to worry about complex authentication schemes if you have no reason to allow public traffic to even reach the web service.

Security and authentication in web services

More articles: