I am looking for projects to work on
Please contact with me at!

Tuesday, October 19, 2010

Web Service authentication and Http session and Web Service session

I was presented a web service client written with Zend_Soap_Client. It seems that the Web Service runs as Single Sign On service. But, it is a specific SSO invented internally. However, this WS is not protected by even simple authentication processing. When I raised this concern, I was asked "how to pass user name and password to Web Service server?". Well, I think this questions need to be divided into two parts to be answered,
  1. How to authenticate client when it access a Web Service?
  2. Is the Web Service stateful or stateless? 
Regarding the first question, authentication can happen in two different places. The first place is the WSS tag, which is in SOAP message header. The second is the HTTP authentication, which happens outside (front of) Web Service. So, it depends Web Service provider and Web Service consumer to decide where they will put the authentication info to protect the Web Service.

About the second question, I will say Web Service can be both stateful and stateless. Enabling session management in Web service will obviously increase the memory footprint. On the other hand, a stateless Web Service will require less memory. It depends on what kind of Web service it is.

I know it is wired for a programmer to input user name and password or certification file every time when it need to call each function supplied by a same Web service. I think we have to balance among computing time, memory footprint, and easy implementation. Then, we can choose whether we need a stateless WS or stateful WS. Both Axis2 and .Net Web Service can support stateful Web Service.

No comments:

Post a Comment