Assuming that I have two systems (A & B) that i need to integrate with each other using web services,system Aoffers web services that retrive different types of documents (images,word doc,pdf, excel, auto cad, etc) ,so i am thinking of implementing the following
security mechanism:-
system B will send a request containing a username and password to system A asking for the one time 64-char password.
System A will send a time synscrozied (based on current date & time) onetime password or token containing 64 characters to system B.
System B will call system A web services using the 64 characters password.
System A will check if the 64 -char password is valid.
system A will respond to system B request.
system A will removed the 64 password from the valid password (so incase system B or another system calls system A web services using the previously generated 64-char password the call will fail)
system A will generate a new 64-char password and send it to system B when needed.
system B calls system A web service using the newly 64-password.
So my question will this approach be secure baring in mind that i will implement the communication between the two system to be under https, or i can implement a more reliable approach ?.
Hint:- i though of this approach since in this way i will be calling the web services that returns the documents using javaScript without being affraid of exposing the security tokens to end-users??
thanks for the reply, but i cannot guarantee that the password will be the same on the two systems as each system will have his own username source, but i can guarantee that the username itself is the same. and to get some flexibility
i do not want to send any confidential info during the web service calls since all the web services calls will be done using javaScripts.
Ok, I'm slightly confused then. In your description you just talk about two systems calling each other. Now you're adding in a browser/JavaScript. I think you need to describe your situation in some more detail.
thanks for the reply, i have mentioned in my original question that i have two different systems which need to communicate with each other using web services and that i need to call the web services using javaScript.
johnjohn1231...
Participant
922 Points
871 Posts
Is my approach secure for implementing a one-time token in web services call
Nov 25, 2012 10:24 AM|LINK
Assuming that I have two systems (A & B) that i need to integrate with each other using web services,system Aoffers web services that retrive different types of documents (images,word doc,pdf, excel, auto cad, etc) ,so i am thinking of implementing the following security mechanism:-
system B will send a request containing a username and password to system A asking for the one time 64-char password.
System A will send a time synscrozied (based on current date & time) onetime password or token containing 64 characters to system B.
System B will call system A web services using the 64 characters password.
System A will check if the 64 -char password is valid.
system A will respond to system B request.
system A will removed the 64 password from the valid password (so incase system B or another system calls system A web services using the previously generated 64-char password the call will fail)
system A will generate a new 64-char password and send it to system B when needed.
system B calls system A web service using the newly 64-password.
So my question will this approach be secure baring in mind that i will implement the communication between the two system to be under https, or i can implement a more reliable approach ?.
Hint:- i though of this approach since in this way i will be calling the web services that returns the documents using javaScript without being affraid of exposing the security tokens to end-users??
Best Regards
BrockAllen
All-Star
27530 Points
4905 Posts
MVP
Re: Is my approach secure for implementing a one-time token in web services call
Nov 25, 2012 03:07 PM|LINK
Why don't you just send the username/password on each request (over SSL)?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
johnjohn1231...
Participant
922 Points
871 Posts
Re: Is my approach secure for implementing a one-time token in web services call
Nov 26, 2012 07:43 AM|LINK
thanks for the reply, but i cannot guarantee that the password will be the same on the two systems as each system will have his own username source, but i can guarantee that the username itself is the same. and to get some flexibility i do not want to send any confidential info during the web service calls since all the web services calls will be done using javaScripts.
BrockAllen
All-Star
27530 Points
4905 Posts
MVP
Re: Is my approach secure for implementing a one-time token in web services call
Nov 26, 2012 02:13 PM|LINK
Ok, I'm slightly confused then. In your description you just talk about two systems calling each other. Now you're adding in a browser/JavaScript. I think you need to describe your situation in some more detail.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
johnjohn1231...
Participant
922 Points
871 Posts
Re: Is my approach secure for implementing a one-time token in web services call
Nov 27, 2012 06:23 AM|LINK
thanks for the reply, i have mentioned in my original question that i have two different systems which need to communicate with each other using web services and that i need to call the web services using javaScript.
BrockAllen
All-Star
27530 Points
4905 Posts
MVP
Re: Is my approach secure for implementing a one-time token in web services call
Nov 27, 2012 01:51 PM|LINK
So fro the service-to-service communication using a password based scheme makes sense.
For the JavaScript-to-service approach you either need to do a password based scheme or look into something more elaborate like OAuth.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/