expose soap service and security

expose soap service and security


My web application will expose a SOAP service.
Regarding the security (not everyone/everything is allowed to call the service) I gathered some information from this community forum.

The main possibility i read is making use of SOAP Headers. These headers are not exposed in the WSDL (http://www.outsystems.com/forums/discussion/5462/web-services-authentication-and-authorization//#Post12929 post by Joao Portela in 2009.. is this still applicable?). The clients add the headers in the request and with the use of EnhancedWebReferences the application can read the headers. Is there an easy way to parse the value from the SOAP Header Elements? 

Another possibility is to use basic http authentication. Is this supported by the platform? I don't seem to find any read-ups on it.

Any help is welcome. Perhaps there is another way to secure an exposed SOAP interface?
With the OutSystems Platform you can do both of those approaches. You can either add SOAP Headers or use HTTP Basic Authentication if you configure your application server accordingly.

However, in my point of view, simpler is better. Why not just use extra parameters to your authenticated methods ?
Hi Roel, there is another option, use client certificates. Install the correct certificates on the server and on the clients tha are allowed to access the server. 

Kind regards, Remco
Client certificates are super-secure, but they are a royal hassle. You need to install them on every server in the client's farm...


Thanks for the responses.

@Remco, @Justin:
I don't think client certificates is the way to go for us, main reason is the the installation of them on every client server (as Justin mentioned), that is not always in our reach.

Is there a difference security wise in adding the credentials to the body instead of adding them to the header? Or is there only a difference in preference and elegance?

A general question:
Is basic authentication by the application server more secure and better performance wise?
- The request is blocked by the application server rather than the application
- The request isn't processed by the application when authentication fails
There is no security difference between adding the information to the headers or the body. It will be much easier to process if they are parameters on the OutSystems Platform side, and you can't create the WSDL with the header specification, so it will be a hidden contract.

Regarding basic authentication, it may be a bit better performance-wise, but you'll have to perform and maintain this configuration on the side (as the OutSystems Platform doesn't do it for you out of the box), so I'd say it's very likely not worth the hassle.