Databases
StackOverflow2013
Postsdbo
POAuthentication for Both Webapplication and WebService
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POAuthentication for Both Webapplication and WebService
    text
    copied!<p>I'm currently working on an application consisting both of a webapplication and client software. The client communicates via webservices, supporting both a SOAP and Protobuffer implementation.</p> <p>The initial registration is done via the webapplication, which relies on username + password authentication later on.</p> <p>After finishing the registration process, all features are also available via the client, which will only communicate via HTTPS. For authenticating webservice calls, I'm currently thinking about three possible approaches:</p> <ol> <li><p>Including the username and password in every message. But is it really a good practice to include the credentials in every request, even though secured by HTTPS?</p></li> <li><p>Providing the username and password in the first webservice request. The client then gets a token which is used for all future requests. (Note: It's not deemed acceptable to force the user to copy a server-generated token to the client application.) Only if the user revokes the token, he needs to send his username and password again for getting a new token. Such token based approaches seem to be quite common, for example Google, AWS and Rackspace are using them a lot. But does it really pay off in this scenario?</p></li> <li><p>Hashing the password on the client sounds like a good solution. However I'd like to salt the encrypted passwords on the server-side. Adding requests only for fetching salts doesn't sound like an optimal solution or is it?</p></li> </ol> <p>Are there any best practices or tips? I couldn't find too much information exactly for these requirements. Currently I'd go with 2), but I'm not really convinced yet.</p> <p>The project is based on Java, Apache CXF, Protobuffers and Shiro, but shouldn't have too much of an impact for the general question...</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload