Web services Authentication Jungle

Posted by redben on Stack Overflow See other posts from Stack Overflow or by redben
Published on 2010-05-18T10:31:22Z Indexed on 2010/05/19 23:30 UTC
Read the original article Hit count: 275

I have been doing some research lately about best approaches to authenticating web services calls (REST SOAP or whatever). But none of the Approaches convinced me... But i still can't a make a choise...
Some talk about SSL and http basic authentication -login/password- which just seems weird for a machine (i mean having to assign a login/password to a machine, or is it not ?).
Some others say API keys (seems like these scheme is more used for tracking and not realy for securing).
Some say tokens (like session IDs) but shouldn't we stay stateless (especially if in REST style) ?

In my use case, when a remote app is calling one of our web services, i have to authenticate the calling application obviously, and the call must - if applicable - tell me which user it impersonates so i can deal with authorization later.

Any thoughts ?

© Stack Overflow or respective owner

Related posts about web-services

Related posts about authentication