How to secure (ASP.NET) Web Service Authorization

I'm building a web service with many methods, some of which are user specific and require I authorize the user. I found these articles on using soap headers to pass login information:

Since I don't want to pass the username / password in clear text, the first approach seems necessary to secure the login. But I was wondering if that's necessary. Is there any way to call a web service using SSL (or force a client to use SSL)? If that was possible, I wouldn't need to do the round trip with passing a encryption key / token to the client first.

Thanks in advance.
LVL 1
ZekeLAAsked:
Who is Participating?
 
ZekeLAAuthor Commented:
I think the second link addressed my security issue but maybe you know the answers to my follow up questions. Accordign the msdn article, SSL can be used only if using Windows authentication. Since our users aren't Windows users, it sounds like I'll have to go with custom soap headers.

Does that sound correct to you?

Secondly, are there any usual practices about encrypting the soap header information? It looks like you need to get a token and then encrypt it. But for security, the token should expire at some point. Is there a rule of thumb as to how long the token should survive?

Thanks.
0
 
Anil GolamariCommented:
http://msdn.microsoft.com/en-us/library/ff649205.aspx ( to use ssl in web apps)

http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/ (regarding security token)

Hope these links shade some light on your questions.

Hope it helps you.

0
All Courses

From novice to tech pro — start learning today.