While creating a Web service using any programming language like JAVA, ASP.net, etc it's always recommended to have an authentication system in place to authenticate the incoming client request before processing them.
As the web services are exposed to the Internet hence anyone can call them and send any request, which can lead to the following issues:
Someone can send and process some malicious requests to access some crucial data or keep your server busy by sending false requests.
Even if you have proper request validation in place, having an authentication layer will help intercept the request and reject them before any processing starts.
One solution for solving the security issue is using HTTPS for client-server communication. But it's better to have HTTPS along with an authentication system in place.
Here we will discuss the two most commonly used ways for securing web services:
HTTP Basic Auth
WS-Security UsernameToken Authentication
Let's start with the first one.
The HTTP basic authentication context is provided by the Authorization header. The HTTP Basic is a transport level authentication just like SSL (HTTPS).
The Authorization header contains:
Username and password, combined into a string "username:password"
The above "username:password" string is then encoded using the RFC2045-MIME variant of Base64
This encoded string is sent in the authorization header.
Below is an example of Basic HTTP auth in Header of an HTTP request:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQxs
For web services, if we use SoapUI(for SOAP Services) or Postman Client(For REST Services), we can easily specify the HTTP basic auth for authentication.
WS-Security is message level security in SOAP web services. WS-Security provides the standard way to secure SOAP-based web services and WS-Security Policy defines these security requirements to the outside world.
Generally, while using WS-Security in SOAP Web services,
<soap:security> tag is expected in the header of the SOAP request. Following is a sample SOAP request header message with
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>username</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password> <wsu:Created>dateCreated</wsu:Created> </wsse:UsernameToken> </wsse:Security>
As you can see in the above header message sample, for WS-Security authentication, we can provide the UsernameToken, Username, Password, Created, etc. field, and we can write the server-side code to authenticate the request with credentials stored in the database.
Following 3 types of authentication is possible:
No verification of the user name and password is performed. Only the timestamp on the token is validated. This is the default behavior.
Verify Username Only:
Only the user name is verified. If the user name is correct, then the request is authenticated.
Verify Username and Password:
Both the user name and password are verified. For password, both clear text and digest formats are supported.