Library tutorials & articles

Authentication for Web Services

  • Comments (2)
  • PDF
  • AddThis
By Bruce Johnson, published on 09 Mar 2003
Page 1 of 6
  1. Introduction
  2. Operating System Options
  3. Third Party Choices
  4. Roll Your Own Authentication
  5. The Choices We Made
  6. Our Process Flow

Introduction

Consider authentication of your web service to be like a door on your house. It needs to be wide enough to allow people to enter, but only if they've knocked first. Getting away from the cutesy analogies, authentication is the process of making sure that the person who is asking to use the web service is really the person that they claim to be. This is done by requiring the user (also known as the "principal") to provide a set of credentials. In return, they will receive a security token that can be used to access the server.

The credentials usually take the form of a user id and password. However, what is really required is everything necessary to uniquely identify the user. For example, in our sample web service, we require that a company code be supplied along with the user id and password. The reason for this additional information is that the data we use to rate a shipment is different for each company.
On the other hand, the security token that is returned is usually more conceptual than physical. It can take the form of a cookie placed on their browser, a session id stored on the serveror an actual string of characters. For our application, we are using a 33-character character string. The reason for our choice will be detailed later in this article. And before we get to that, let's look at the tools that are available to assist with the authentication process.

Comments

  1. Seamus Barrett
    16 Jul 2007 at 18:25
    Hi,
        I have enjoyed reading the article so far and I have a quick question. Isn't the interception of the security token almost as useful to a hacker as the interception of the original credentials? If so (even marginally) then why is it neccessary to go to such lengths to hide the login name and password, but not the token? Couldn't a hacker keep the token alive by using it regularly, therefore avoiding any expiration? Would it be possible to explore these issues, in the scope of the article?

    Thanks,
    Seamus





  2. Developer Fusion Bot
    01 Jan 1999 at 00:00

    This thread is for discussions of Authentication for Web Services.

Leave a comment

Sign in or Join us (it's free).

Related tags

web services
Bruce Johnson I am the owner of a small application development consulting company that specialized in the design and implementation of Internet-based applications. While there are others who can make a web site...

Related articles

Ask a question

Related discussion

Related podcasts

  • Introduction to Atlas

    Get your feet wet with an introduction to Atlas. Atlas is the new part of the .NET framework specifically for web clients. Features include AJAX and web services support, new validation controls, behaviors, and an object orientation layer sitting on top of JavaScript.

Events coming up

  • Dec 8

    December Silicon Valley Ruby Meetup

    Moffett Field, United States

    In a World of Middleware, Who Needs Monolithic Applications? by Jon Crosby With Rack emerging as the standard for composing web applications and services, most recently with Rails adoption, an architectural shift is taking place. Learn how to create next generation web services by reusing existing Rack middleware and supplementing with your own components and micro-frameworks like Sinatra. Bio : Jon likes music, the Open Web, Ruby, Erlang, Haskell, Objective-C, JavaScript and coffee.

Languages

Web Development

Frameworks & Architecture

Other major sections

Cancel
Want to stay in touch with what's going on? Follow us on twitter!