Web Services authentication - best practices?

Question

We have SOAP web services in production that are relying on SOAP Headers (containing plain client credentials) for the authentication. The WS are used in heterogeneous envir

Answer 1

If you have to roll it all yourself and can't use HTTPS, I'd suggest the hash-based UsernameToken portion of WS-Security. It's pretty secure and fairly easy to implement as long as your libraries have the hashing functions.

If you're doing web services, I wouldn't rely on HTTP for authentication.

WS-Security as a whole is way too big.