我正在开发一个客户端 - 服务器系统,其中客户端是一个通过SOAP消息与后端通信的iphone应用程序。 现在,客户端在每个请求的SOAP主体中发送用户名和密码,这当然不是好事。
对此的解决方案不需要(实际上:不能)太复杂,我只是不想过多地发送用户名和密码。
一个“好的”解决方案是让客户端使用用户名/密码进行一次身份验证,然后接收一个有效期为1小时的令牌,并且必须随每个请求一起发送?
这种情况的“最佳实践”是什么? WS-安全?
I'm working on a client- server system where the client is an iphone app that communcates with the backend via SOAP messages. Right now the client sends the username and password in the SOAP body with each request, which isn't good of course.
The solution to this needn't (in fact: can't) be too sophisticated, I just don't want to send the username and password around too much.
Would an "okay" solution be to let the client authenticate once with username/ pw, then receive a token that is valid for say 1 hour and has to be sent with every request?
What would be the 'best practice' for this scenario? WS- Security?
最满意答案
使用有效期为一段时间的安全令牌是很常见的做法。 当然不建议使用每个请求发送凭据。
您可以参考以下链接了解更多详情: https : //softwareengineering.stackexchange.com/questions/83037/best-practices-for-expiration-of-tokens-in-a-security-token-service-sts
https://developers.google.com/accounts/docs/MobileApps
Using security token valid for a certain period is pretty common practice. Sending credentials with each request is certainly not recommended.
you can refer following links for more details: https://softwareengineering.stackexchange.com/questions/83037/best-practices-for-expiration-of-tokens-in-a-security-token-service-sts
https://developers.google.com/accounts/docs/MobileApps
更多推荐
发布评论