One of my task involved publishing a secured web service to
be consumed by any client/platform. Best and secured way, and
you'll agree that this is what Amazon and Google use as well, is
that you assign every client an application-id and security-key.
And here's how client should make requests:
1. SoapHeaders or HTTP_Cookie is sent with every request.
Information it will contain is an encryted text (token) and client
id.
Header or cookie will appear something like this:
applicationid=3456&token=wJDKD93o34%^&*$2de4390
2. Encrytion is done by the client using the security-key
provided by the server. Text which is encrypted must contain
datetime. Example normal text could be: myMethod\20080612
3. The security-key itself is never transferred over the
network
4. At the server side, the token header value is decrypted
using the key for that applicationid (pick it up from the server.)
5. Server checks, after decryption of token, that the
datetime is in proper format and methodName is same as the method
called. And if this is true, client is authenticated.
In simple words, go on encryting any client variable before
sending to the server. If server can decrypt it and finds expected
string, respond or else throw security error.
Why you must also allow access using HTTP_COOKIE? You dont
want to write your own WSDL files. ColdFusion can not generate a
WSDL which can tell consumers what SoapHeaders your service is
expecting. Not allowing cookies based authentication will
eventually lead to a situation where .NET developers wont be able
to consume your service. Its impossible for most .NET pros to write
a code to send custom soap headers - there is so much dependency on
VS Studio web service code stubs.
Sam
Adobe Certified Flash and Adv. ColdFusion Developer
http://www.samunplugged.com
mumbai users, join other mumbai cf enthsiasts:
http://in.groups.yahoo.com/group/cfexpress/
3
Replies
AdChoices