Results 1 to 4 of 4

Thread: Are seemingly plain text credentials secure in an XML message

  1. May 12th, 2011, 11:05 AM #1
    pgrimard
    pgrimard is offline Senior Member
    Join Date
    Nov 2009
    Location
    Montreal, Quebec
    Posts
    398

    Question Are seemingly plain text credentials secure in an XML message

    I'm building a web service consumer using Spring Integration. The web service provider requires that we login once a day to retrieve a session ID and use that for the rest of the day in all other service requests. What I find weird is the initial login service has us passing the credentials in XML like the following:

    Code:
    <login>
<param1>username</param1>
<param2>password</param2>
</login>
    It's the first web service consumer I write, but this seems insecure to me. Especially since the request is being made over normal http, not https. Could someone shed some light for me?

    Thanks
    Patrick Grimard

    http://ca.linkedin.com/in/patrickgrimard
    http://jpgmr.wordpress.com
    Reply With Quote Reply With Quote
  2. May 14th, 2011, 04:22 AM #2
    mada
    mada is offline Member
    Join Date
    Feb 2010
    Posts
    73

    Default

    AUthentification are sent normally through the soap:headers using ws-security oasis (google it ther is ton of doucmentation).
    It is in the headers because it is transversal, not specifing to an endpoint.

    With ws-security you can encrypt the password using various algorithm, signs it etc.
    And spring-ws has interceptors for that ease the pain

    You seems to want a stateful webservice instead of a stateless. This is NOT a best practice.you will NOT found any example for that in the spring documentation. You will meet issues like in a cluster environnement, the need to propagate the session used.

    If your need is to avoid for every request an authentification, you can use ehcache on the server side.I have use it already with spring-ws.
    With this, the authentification should be sent everytime for secured ws, and if you want, the server will really do the authentification on database, ldap or whatever just once in a day for a specific user.
    Need help on Spring WS ? Do you want to shift gears and build the architecture of your spring ws with half of the price that will be for your company ? I have worked on Spring Ws 1,5 year at full time and build around80 WS with full dao testing and integration tests with Soapui with Maven 2 on hudson
    Reply With Quote Reply With Quote
  3. May 14th, 2011, 06:32 AM #3
    pgrimard
    pgrimard is offline Senior Member
    Join Date
    Nov 2009
    Location
    Montreal, Quebec
    Posts
    398

    Default

    You misunderstood my question. I'm not providing the web service, I'm merely consuming one. I'm not trying to avoid authentication, I'm merely using the methods provided by the web service. I wanted to know if their methods are insecure and if I should be worried about my username/password being intercepted, and therefore the data too.
    Patrick Grimard

    http://ca.linkedin.com/in/patrickgrimard
    http://jpgmr.wordpress.com
    Reply With Quote Reply With Quote
  4. May 14th, 2011, 08:04 AM #4
    mada
    mada is offline Member
    Join Date
    Feb 2010
    Posts
    73

    Default

    of course they are insecure if it is send through http not https.
    But if you are on a private network & it is not a super important authentification like for bank stuff, why not.
    if you want to see the password sent for educational purpose, use wiresharks
    Need help on Spring WS ? Do you want to shift gears and build the architecture of your spring ws with half of the price that will be for your company ? I have worked on Spring Ws 1,5 year at full time and build around80 WS with full dao testing and integration tests with Soapui with Maven 2 on hudson
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules