Securing Web Servicesq

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Chris - 20 Dec 2006 20:38 GMT

I want to secure a web service so only authorized client apps can use it.
Will using SSL with an encrypted username and password in the soap header do
the job? I know you could potentially capture a post to a web service (or
anything sent over the web). Will SSL mean you can't capture the stream to
the web service and resend it? I am thinking if the post to the web service
contains the username and password then it is useless unless SSL means it
can't be captured and reused? Regards.

Reply to this Message

Andy - 21 Dec 2006 10:24 GMT

The stream can not be replayed. Each SSL connection has a unique session key
so just replaying an old stream on a new connection will not work

Remember to only send a hash of the password and not the full password. This
means that you don't have to store actual passwords on the server.

Regards,

Andy Kendall

>I want to secure a web service so only authorized client apps can use it.
>Will using SSL with an encrypted username and password in the soap header
[quoted text clipped - 3 lines]
>service contains the username and password then it is useless unless SSL
>means it can't be captured and reused? Regards.

Reply to this Message

Andy - 21 Dec 2006 11:49 GMT

I forgot to say, a replay attack on the same session is also avoided because
each packet has an incremental sequence number which is remembered by the
SSL session.

> The stream can not be replayed. Each SSL connection has a unique session
> key so just replaying an old stream on a new connection will not work
[quoted text clipped - 13 lines]
>>web service contains the username and password then it is useless unless
>>SSL means it can't be captured and reused? Regards.

Reply to this Message

Securing Web Servicesq

Free Magazines