Library tutorials & articles
Authentication for Web Services
Third Party Choices
When I suggest the idea of utilizing a third party to support authentication for a web service, I'm talking about Microsoft Passport or the Liberty Alliance Project. The premise behind the single sign-on functionality that is offered by these tools is quite simple. The first time that a user hits the web site, they will be prompted for their credentials. Then as the user nagivates from page to page, their credentials follow along. Not their password, you understand, but a token that can be used by the page to retrieve relevant information.
The problem with using third party services for web service validation lies in how web services can be used. Let's say that you have a web service that rates shipments (This is the web service that we'll be building in this series. Check out the Getting Started With Design link in the References section to the right for more details.) If people who use your service are your only clients, then using Passport or Liberty is feasible. But if your clients repackages your web service functionality and passes it on to their clients, there is a problem. Neither Passport nor Liberty have the ability to automatically 'passthrough' credentials. In other words, if your client requires their users to log in using Passport, they will have to write additional code in order to pass the Passport credentials to your service. Otherwise, the user would need to log in again to access the service, pretty much obliterating the concept of a single sign-on. While I expect that we will see tools like this added to the single sign-on arena in the near future, at the moment, it makes them ackward to use for some web services.
I am the owner of a small application development consulting company that specialized in the design and implementation of Internet-based applications. While there are others who can make a web site...
Related articles
Related discussion
-
Java RAD Training...
by fordendk (0 replies)
-
I'm a newbie! How these things affect us?
by ephraimgasel (0 replies)
-
Error Capture
by Slicksim (4 replies)
-
MOS Protocol - Anyone used it?
by alexnavarro38 (5 replies)
-
AJAX: SimpleWebServices is not defined
by Freon22 (2 replies)
Related podcasts
-
Introduction to Atlas
Get your feet wet with an introduction to Atlas. Atlas is the new part of the .NET framework specifically for web clients. Features include AJAX and web services support, new validation controls, behaviors, and an object orientation layer sitting on top of JavaScript.
Events coming up
-
Dec
8
December Silicon Valley Ruby Meetup
Moffett Field, United States
In a World of Middleware, Who Needs Monolithic Applications? by Jon Crosby With Rack emerging as the standard for composing web applications and services, most recently with Rails adoption, an architectural shift is taking place. Learn how to create next generation web services by reusing existing Rack middleware and supplementing with your own components and micro-frameworks like Sinatra. Bio : Jon likes music, the Open Web, Ruby, Erlang, Haskell, Objective-C, JavaScript and coffee.
I have enjoyed reading the article so far and I have a quick question. Isn't the interception of the security token almost as useful to a hacker as the interception of the original credentials? If so (even marginally) then why is it neccessary to go to such lengths to hide the login name and password, but not the token? Couldn't a hacker keep the token alive by using it regularly, therefore avoiding any expiration? Would it be possible to explore these issues, in the scope of the article?
Thanks,
Seamus
This thread is for discussions of Authentication for Web Services.