Web 服务身份验证 - 最佳实践? [英] Web Services authentication - best practices?

问题描述

我们在生产中使用 SOAP Web 服务，这些服务依赖 SOAP 标头(包含普通客户端凭据)进行身份验证.WS 用于具有 .NET/Java/PHP/Python/C++ 客户端的异构环境，包括 Web 应用程序或桌面应用程序.

We have SOAP web services in production that are relying on SOAP Headers (containing plain client credentials) for the authentication. The WS are used in heterogeneous environments with .NET/Java/PHP/Python/C++ clients both web app or desktop app.

我们正在考虑为那些 WS 使用 v2，我想知道什么被视为 WS SOAP 身份验证的最佳实践?(相当安全，但易于在各种平台上操作).

We are considering a v2 for those WS and I am wondering what are considered as the best practices for WS SOAP authentication? (reasonably secure, yet easy to handle on a wide variety of platforms).

推荐答案

在各种平台上处理它的最简单方法是对传输层使用 HTTP 基本身份验证和 HTTPS.如果您的需求不仅仅是简单的用户名/密码，WS-Security 会很好，但平台之间的支持会有很大差异.每个体面的 SOAP 实现都支持 HTTP 身份验证.

The easiest way to handle it across a variety of platforms is to use HTTP basic authentication and HTTPS for the transport layer. WS-Security would be good if your needs go beyond simple username/password but the support is going to vary quite a bit between platforms. HTTP authentication is supported by every decent SOAP implementation.

这篇关于Web 服务身份验证 - 最佳实践?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！