Announcement Announcement Module
No announcement yet.
Are seemingly plain text credentials secure in an XML message Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Are seemingly plain text credentials secure in an XML message

    I'm building a web service consumer using Spring Integration. The web service provider requires that we login once a day to retrieve a session ID and use that for the rest of the day in all other service requests. What I find weird is the initial login service has us passing the credentials in XML like the following:

    It's the first web service consumer I write, but this seems insecure to me. Especially since the request is being made over normal http, not https. Could someone shed some light for me?


  • #2
    AUthentification are sent normally through the soap:headers using ws-security oasis (google it ther is ton of doucmentation).
    It is in the headers because it is transversal, not specifing to an endpoint.

    With ws-security you can encrypt the password using various algorithm, signs it etc.
    And spring-ws has interceptors for that ease the pain

    You seems to want a stateful webservice instead of a stateless. This is NOT a best will NOT found any example for that in the spring documentation. You will meet issues like in a cluster environnement, the need to propagate the session used.

    If your need is to avoid for every request an authentification, you can use ehcache on the server side.I have use it already with spring-ws.
    With this, the authentification should be sent everytime for secured ws, and if you want, the server will really do the authentification on database, ldap or whatever just once in a day for a specific user.


    • #3
      You misunderstood my question. I'm not providing the web service, I'm merely consuming one. I'm not trying to avoid authentication, I'm merely using the methods provided by the web service. I wanted to know if their methods are insecure and if I should be worried about my username/password being intercepted, and therefore the data too.


      • #4
        of course they are insecure if it is send through http not https.
        But if you are on a private network & it is not a super important authentification like for bank stuff, why not.
        if you want to see the password sent for educational purpose, use wiresharks