StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
160449
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2008-10-02T01:06:20.847
FavoriteCount
0
LastActivityDate
2008-10-02T15:23:02.363
LastEditDate
2008-10-02T15:23:02.363
LastEditorUserId
10026
OwnerUserId
10026
ParentId
153329
PostTypeId
2
Score
2
ViewCount
0
LastEditorDisplayName
ykaganovich
text
Body
Ok, replacing my older answers with hopefully a better one. What you describe should work if you have a way to securely share data between your services. For example, if your services share a secret key with the Authorization Service, you can use this key to get the salt. BTW, I don't know enough cryptography to say whether it's safe enough to add secret salt + hash (although seems fine); I'm pretty sure it's safe to <a href="http://en.wikipedia.org/wiki/HMAC" rel="nofollow noreferrer">HMAC</a> with a secret or private key. Rotating keys is a good idea, so you would still have a master key and propagate a new signing key. Other issues with your approach are that (a) you're hardcoding the hashing logic in every service, and (b) the services might want to get more detailed data from the Authorization Service than just a yes/no answer. For example, you may want the Authorization Service to insert into the header that this user belongs to roles A and B but not C. As an alternative, you can let the Authorization Service create a new header with whatever interesting information it has, and sign that block. At this point, we're discussing a Single Sign-On implementation. You already know about <a href="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss" rel="nofollow noreferrer">WS-Security</a> specs. This header I described sounds a lot like a <a href="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security" rel="nofollow noreferrer">SAML</a> assertion. <a href="http://www.oracle.com/technology/tech/java/newsletter/articles/wsaudit/ws_audit.html" rel="nofollow noreferrer">Here's an article</a> about using WS-Security and SAML for Single Sign-On. Now, I don't know whether you need all this... there are in-between solutions too. For example, the Authorization Service could sign the original Username block; if you worry about public/private crypto performance, and you're ok sharing secret keys, you could also use a secret key to sign instead of public/private keys.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POWhat are the potential problems with this WebService security scheme?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USykaganovich
UserOwnerUserId
1. USykaganovich
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.