How does one integrate a Web service with an existing security infrastructure? For example, my LDAP security allows me to change an address and add a customer. So how would I connect the Web service to follow the same security restrictions? Currently my Web service infrastructure is such that I can specify a userid and password inside the Web service call.
You have the right idea. Effective security requires that you use your existing user credentials, if at all possible. Taking advantage of the user profiles you already have in your LDAP directory does just that. The next question is what level of security you need to enforce for users of your Web services. For example, if you want every requester to be authenticated before they can invoke a Web service you must arrange to acquire the necessary username and password for the request. You might consider the WS-Security standard, which describes how to pass a username and password in a SOAP header in a standard manner. Of course, you must make sure any Web service development tool you use allows you to add this information to the header.
Another option is to use HTTP basic authentication for transmitting the username/password pair to the server. In either case, once this information has reached the server you must extract the username and password and present it to your LDAP system to determine if the user is authentic. You need to do this before invoking the Web service or depend on the authors of every one of your Web services to check this before executing the request. Finally, we must consider if authentication of the user is tantamount to authorizing that user to access EVERY Web service. If you need more control then you must augment the information in your LDAP directory with permissions indicating which services a given user is authorized to use. Such access controls might describe which services or operations a user may request or, more specifically, the content of the messages a user is allowed to present to the service. If you incorporate such access controls into your system you must follow your authentication check with an authorization check to make sure the authenticated user is allowed to use the requested service. As a final note, several of the Web services management products on the market can help you solve this problem.
Dig Deeper on Topics Archive
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.