Service oriented development is dominating my current programming landscape. Service Oriented Architecture (SOA) can be defined as loosely coupled software services that support requirements of a business process. SOA is also characterized by being technology agnostic, that is, the underlying service can be implemented in a variety of ways RPC, DCOM, CORBA or Web Services without worrying about the source.
Currently most of the projects I am involved with consume web service where the underlying technology is completely unknown to me. As with all banking systems security is always key so I wanted to review some of the options available for someone using ASP.NET.
Windows - Basic: Used for non-secure identification of clients, as the user name and password are sent in base 64-encoded strings in plain text. Passwords and user names are encoded, but not encrypted, in this type of authentication. A determined, malicious user equipped with a network-monitoring tool can intercept user names and passwords, this type of authentication is generally limited to secure networks.
Windows - Basic over SSL: Used with secure identification of clients in Internet scenarios. The user name and password are sent over the network using Secure Sockets Layer (SSL) encryption, rather than plain text. This is relatively easy to configure and works for Internet scenarios. However, using SSL degrades performance.
Windows - Digest: Used for secure identification of clients in Internet scenarios and uses hashing to transmit client credentials in an encrypted manner so the password is not transmitted in clear text. In addition, Digest authentication can work through proxy servers. However, it is not widely supported on other platforms.
Windows - Client Certificates: Use for secure identification of clients in Internet and intranet scenarios. Requires each client to obtain a certificate from a mutually trusted certificate authority. Certificates are optionally mapped to user accounts, which are used by IIS for authorizing access to the XML Web service.
SOAP headers – Custom: Useful for both secure and non-secure Internet scenarios. User credentials are passed within the SOAP header of the SOAP message. The Web server, regardless of the platform hosting the XML Web service, provides a custom authentication implementation.
"The mystery of government is not how Washington works but how to make it stop." - PJ O'Rourke