Reputation: 71
Security and authentication in web services
Lets say we have a website that uses a web service for all of its functionality (i.e. retrieving and updating data from/to db), how does the web service authenticate requests?
As I understand it, in a traditional java "website" a user provides a username & password, and upon validation a jsessionid is assigned to the user (client browser). Every time the client browser asks the website for something, the site checks for the jsessionid ensuring that the user is registered and authenticated. Is there a web services equivalent of this? If yes, what?
Upvotes: 7
Views: 475
Answers (3)
Reputation: 139921
Does your web service even need to be publically accessible?
You might not need to worry about complicated authentication schemes if there is no reason to allow public traffic from even reaching the web service.
Upvotes: 1
Reputation: 8534
The web service world is governed by the ws-* standards.
See WS-Security:
- http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
- http://en.wikipedia.org/wiki/WS-Security
The wikipedia article gives a nice high-level overview, oasis is the official home of the standards, and provides the detailed specifications.
Upvotes: 1
Reputation: 320
Usually for web services the most easy solution is using Basic Authentication. For something more complex, "Api Key\Token" are passed with each request to authorize\authenticate the users. Another solution is OAuth.
Twitter for example use Basic Authentication and OAuth.
Upvotes: 5
Related Questions
- How can I implement security in web service?
- User authentication for web services in Java
- Secured authentication in web service
- Web Service authentication in Java EE
- Simple Webservice Authentication/Authorization not so simple?
- Recommended ways to secure a webservice?
- How can I build simple secure web service with Java?
- Security with Web Services in Java
- Secure Java Web Services
- How to go about web service security in Java