Why use Soap as authenitcation in webservice?

Question

I am looking at this tutorial http://www.codeproject.com/KB/cpp/authforwebservices.aspx and I am wondering what the reason for using authentication through soap is? Like why not just pass the username and password through the parameters instead?

Is it more secure to do it like the way the guy is in the tutorial verus just using passing it through as parameters?

Thanks

Answer 1

check out SOAP Headers, which can be signed and encrypted when needed, and are supported by any (self-respecting) SOAP development environment...

Answer 2

Well, no, the way that guy is doing it does not add any extra security at all. However authentication via soap headers has several advantages when implemented correctly, using the WS* stack. The WS* stack is heavily based on X.509 certificates used for signing and encryption. One of the main advantages of this is that identities can be propagated from one service to another, without having to hold on to sensitive information such as username and password.

Answer 3

Because there are standards for authenticating WS-* SOAP Based Web Services.

WS-Security is the culprit at work here.

It allows for anything from username/password token authentication to X.509 authentication. You can also use the username/password or X.509 to encrypt the body of the SOAP message so that your information is harder to get at.

As a side note, .NET 2.0 has Web Service Extensions (WSE) 3.0 for this so you don't have to hand roll your own (which is what the author of your article did). In .NET 3.5 you would use WCF which has support for WS-Security built in.