Hello,
I've read chapter 11 and implemented the credentials class to use in the soap header. We plan on using SSL to encrypt the username and password. Everything seems fine, but we didn't know what customers would think of passing their username and password for each web method.
We were thinking about writing a login web method that would return a security token. The consumer would pass the token in the soap header. We'd use the token to validate the user and load the principal. The token would expire after a period of time.
We didn't look much at WSE. Does the customer need to use .NET if we use WSE? We don't know what platforms our customers will be using and we cannot have .NET as a requirement.
So, what have other people done for web service authentication and security?
Thanks,
Kurt
Copyright (c) Marimer LLC