Sunday, April 4, 2010

Good old Username Token authentication model for Web Services

Some practical documentation here:

and also an interesting podcast here

on X509 PKI certificate and Username Token.

In a nutshell:

Kerberos and X509 are brokered authentication,  you present a token which vouches that you have gone somewhere else through an authentication process

Username Token is direct authentication

A X509 contains a certificate which has a public key that can be used by the recipient to encrypt messages that can be only decrypted by the X509 originator.

The official OASIS documentation (interesting reading)

An example of SOAP request with unencrypted Username token (thanks Tom Gullo,, god bless your excellent recipes)

and encoded

(it's really verbose, oh my god, I wonder about the performance impact)

No comments: