Chapter 4. Claiming and verifying identity with passwords
This chapter covers
- Password-based authentication
- Plain-text passwords
- Digest authentication
As you saw in the previous chapter, the SOAP specification allows headers to be used for extending SOAP. WS-Security defines standard security headers for SOAP. In the first demonstration of WS-Security, we sent a username in a standard header. We also discussed the code behind that demonstration.
Sending the username along with the request is one way to claim identity. Most services require a user to establish his identity before his requests are served. This is because:
- Security restrictions require that services be provided only to authorized users. While it is not always necessary to determine user identity to figure out if a user is authorized, most often it is. For example, a low-end B2B integration service may not care who placed a purchase order as long as it is received from a trusted partner’s network. Examples of services that require us to provide our identity information are of course everywhere.
- Service logic requires the knowledge of who the user is. For example, if you are checking email, the email service needs to know whose messages it needs to return.