Skip to Content (Press Enter)
OutSystems.com
Personal Edition
Community
Support
Training
Training
Online Training
Developer Schools
Boot Camps
Certifications
Tech Talks
Documentation
Documentation
Overview
ODC
O11
Forums
Forge
Get Involved
Get Involved
Jobs
Ideas
Members
Mentorship
User Groups
Platform
Platform
ODC
O11
Search in OutSystems
Log in
Get Started
Back to Forums
Roel Oomens
265
Views
5
Comments
Solved
expose soap service and security
Question
Security
SOAP
Hi,
My web application will expose a SOAP service.
Regarding the security (not everyone/everything is allowed to call the service) I gathered some information from this community forum.
The main possibility i read is making use of SOAP Headers. These headers are not exposed in the WSDL (
https://www.outsystems.com/forums/discussion/5462/web-services-authentication-and-authorization//#Post12929
post by Joao Portela in 2009.. is this still applicable?). The clients add the headers in the request and with the use of EnhancedWebReferences the application can read the headers. Is there an easy way to parse the value from the SOAP Header Elements?
Another possibility is to use basic http authentication. Is this supported by the platform? I don't seem to find any read-ups on it.
Any help is welcome. Perhaps there is another way to secure an exposed SOAP interface?
Ricardo Silva
Solution
There is no security difference between adding the information to the headers or the body. It will be much easier to process if they are parameters on the OutSystems Platform side, and you can't create the WSDL with the header specification, so it will be a hidden contract.
Regarding basic authentication, it may be a bit better performance-wise, but you'll have to perform and maintain this configuration on the side (as the OutSystems Platform doesn't do it for you out of the box), so I'd say it's very likely not worth the hassle.
See solution in context
Ricardo Silva
With the OutSystems Platform you can do both of those approaches. You can either add SOAP Headers or use HTTP Basic Authentication if you configure your application server accordingly.
However, in my point of view, simpler is better. Why not just use extra parameters to your authenticated methods ?
1 reply
23 May 2016
Show thread
Hide thread
Roel Oomens
Hi,
Thanks for the responses.
@Remco, @Justin:
I don't think client certificates is the way to go for us, main reason is the the installation of them on every client server (as Justin mentioned), that is not always in our reach.
@Ricardo:
Is there a difference security wise in adding the credentials to the body instead of adding them to the header? Or is there only a difference in preference and elegance?
A general question:
Is basic authentication by the application server more secure and better performance wise?
- The request is blocked by the application server rather than the application
- The request isn't processed by the application when authentication fails
Remco Dekkinga
MVP
Hi Roel, there is another option, use client certificates. Install the correct certificates on the server and on the clients tha are allowed to access the server.
Kind regards, Remco
Justin James
MVP
Client certificates are super-secure, but they are a royal hassle. You need to install them on every server in the client's farm...
J.Ja
Ricardo Silva
Solution
There is no security difference between adding the information to the headers or the body. It will be much easier to process if they are parameters on the OutSystems Platform side, and you can't create the WSDL with the header specification, so it will be a hidden contract.
Regarding basic authentication, it may be a bit better performance-wise, but you'll have to perform and maintain this configuration on the side (as the OutSystems Platform doesn't do it for you out of the box), so I'd say it's very likely not worth the hassle.
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
See the full guidelines
Loading...