email article printer friendly get the code

Authenticating Web Services Users
Deciding on the best way to validate users of your Web service depends on the credentials you require
by Bruce Johnson

The authentication function that your Web service performs acts much like a door on a house—you'll open it only if you know who is out there. In the world of Web services, authentication is the process of making sure that the person who asks to use the Web service is really the person they claim to be. Of the authentication processes out there, which is the best to choose?

All authentication processes require that the person who requests access provide a set of credentials. In return, that person receives a security token that accesses the server. Credentials for an application usually take the form of a user ID and password. However, the strict definition of the term "application" includes everything necessary to uniquely identify the user, which could include other elements, as well.

The security token that is returned at the successful completion of an authentication process can take many forms. For Web services, the most common are a cookie placed on the user's browser, a session ID stored on the server, or a string of characters. For our example, we return a 33-character string. Regardless of its form, however, the purpose remains the same—to allow for continuing authentication without submitting the credentials with every call.

Operating System Options
One of the easiest ways to implement an authentication mechanism for a Web service is to integrate it with Windows. Windows 2000 allows for six types of authentication: anonymous, basic, basic over Secure Sockets Layer (SSL), digest, integrated, and client certificate. Let's look at them in more detail.

Anonymous - If your Web service is not on a "need to know" basis with your user's credentials, then anonymous authentication is the way to go. In this instance, no credentials are required to access the exposed functionality. Because this is the default authentication mechanism for Web pages, no special server configuration is required. However, the service will not be able to distinguish one call from another with respect to the initiator.

	Figure 1. Configuring Web Site Authentication in Windows.

Basic - In basic authentication, the user is prompted for a login ID and password. Once collected, this information is transmitted in plaintext to the Web server. For access to be granted, the credentials must correspond to a valid Windows account. The beauty of using basic authentication is the ease with which it can be set up and the universality of its availability. For IIS 5.0, you start by opening the Internet Services Manager and right-click on the Web site in question to view its properties. Under the Directory Security tab, click on the Edit button associated with anonymous access and authentication control. In the Authentication Access dialog box (see Figure 1), make sure that Anonymous Access is unchecked and Basic Authentication is checked. And you're done.