RE: Integrated Web Server Authentication

I would always proxy requests through an intermediate server facing the web. If you need to store credentials, do it as close to the data as possible. For instance, you can write an aspx, asp, jsp, or whichever technology you are using so that the end user doesn't see the request being sent to the back end server, just the part they need to modify. In this case, I would not even rely on this mechanism to hide the log on credentials. Instead, I would have a service running on the backend that receives requests from the web server, validates that they match the expected pattern, and then attaches the credentials to the request to be passed to the back end, and finally return the results to the web server.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Coyle, Stephen F.
Sent: Monday, July 06, 2009 7:12 AM
To: 'midrange-l@xxxxxxxxxxxx'
Subject: RE: Integrated Web Server Authentication

The service itself returns data from our purchasing module. The fear is that someone discovers the service is available and accesses it without authority. The request parameters are easily identified to figure out what's needed. I was hoping there was some way to configure the server that would make the user id visible to the web service without relying on any kind of client mechanism. I don't have any experience with the admin side of either the http or the app server so I was wondering what others have done who may have gone down this road.

Thanks...
- Steve
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.