How do I authenticate users with SOAP?
Will I have to require the user to send his username and password with every SOAP request and I authenticate him against the database?
Doesn't that seem to cause unnecessary queries?
SOAP is just as flexible as REST when it comes to protecting and authenticating a web service. WS-Security is the key extension that supports many authentication models including: basic username/password credentials, SAML, OAuth and more. A common way that SOAP API's are authenticated is via SAML Single Sign On (SSO).
Authentication standardsBasic/Digest/NTLM authentication - Uses HTTP headers to identify users. WS-Security SAML and Username Tokens - SOAP/XML based authentication, passes credentials and assertions in SOAP message headers, optionally signed and encrypted.
An easier way would be to authenticate on the first query, build a session record on the server side containing the remote IP address and a token that you give to the client as an authToken. Then have the client pass this authToken in future queries. This authToken has to match the internal session data you keep about the client, but would allow you to avoid having to make round-trips to the database just to do authentication.
That said, @Marcus Adams has a good point below with regard to stateless-ness. There are people out there pushing all sorts of SOAP security models. WS-Security is the current state of the art, here. They all work by putting authentication information in the SOAP header - after all, that's why a SOAP message contains both a header and a bodypart.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With