Now that's secure...
-
So I'm working on this SOAP service, which needs to have a sort of two-layered security (according to specs). The first is basic authentication, which is, of course, a well known protocol (which I had to implement myself because Azure App Services doesn't support this because it checks the (on-premise) AD by default). The second is on message level, each request has an authentication token in the form of [username][divider][password]. Seems overkill, but alright. Except that the username and password for the basic authentication are hard-coded! :wtf: It seems I can set the password in the third party application (although that's not possible/allowed according to the specs), but the username is definitely hard-coded in the application :laugh: If the username is hard-coded, but the password isn't, all I can do is check if the supplied password matches any passwords in the database* and then check if the token in the message belongs to that password*. It's all rather clunky :laugh: So basically it's just authentication on message level with extra steps :doh: * Hashed, of course!
Best, Sander sanderrossel.com Continuous Integration, Delivery, and Deployment arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
So I'm working on this SOAP service, which needs to have a sort of two-layered security (according to specs). The first is basic authentication, which is, of course, a well known protocol (which I had to implement myself because Azure App Services doesn't support this because it checks the (on-premise) AD by default). The second is on message level, each request has an authentication token in the form of [username][divider][password]. Seems overkill, but alright. Except that the username and password for the basic authentication are hard-coded! :wtf: It seems I can set the password in the third party application (although that's not possible/allowed according to the specs), but the username is definitely hard-coded in the application :laugh: If the username is hard-coded, but the password isn't, all I can do is check if the supplied password matches any passwords in the database* and then check if the token in the message belongs to that password*. It's all rather clunky :laugh: So basically it's just authentication on message level with extra steps :doh: * Hashed, of course!
Best, Sander sanderrossel.com Continuous Integration, Delivery, and Deployment arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
and you're sending passwords out over basic auth with every message. i mean, i'm sure its over SSL but still. That seems less secure than simply sending an auth token.
When I was growin' up, I was the smartest kid I knew. Maybe that was just because I didn't know that many kids. All I know is now I feel the opposite.
-
and you're sending passwords out over basic auth with every message. i mean, i'm sure its over SSL but still. That seems less secure than simply sending an auth token.
When I was growin' up, I was the smartest kid I knew. Maybe that was just because I didn't know that many kids. All I know is now I feel the opposite.
The auth token (which is basically just another set of a username and password, which they call token) is sent over the same line as the basic auth :D SSL goes without saying, it's part of the basic auth spec I believe (but even if it wasn't).
Best, Sander sanderrossel.com Continuous Integration, Delivery, and Deployment arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
The auth token (which is basically just another set of a username and password, which they call token) is sent over the same line as the basic auth :D SSL goes without saying, it's part of the basic auth spec I believe (but even if it wasn't).
Best, Sander sanderrossel.com Continuous Integration, Delivery, and Deployment arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
This makes me glad i don't have to do this kind of thing for a living anymore. Don't take this personally, but I really want to hack your jobsite now.
When I was growin' up, I was the smartest kid I knew. Maybe that was just because I didn't know that many kids. All I know is now I feel the opposite.
