There doesn’t seem to be a lot of consensus on adding security to web services. For example, here are two ways advertised for Rack (the Ruby framework on which Sinatra is built):
Rack::Auth::Basic implements HTTP Basic Authentication, as per RFC 2617.
Initialize with the Rack application that you want protecting, and a block that checks if a username and password pair are valid.
Rack::Auth::Digest::MD5 implements the MD5 algorithm version of HTTP Digest Authentication, as per RFC 2617.
Initialize with the [Rack] application that you want protecting, and a block that looks up a plaintext password for a given username.
opaque needs to be set to a constant base64/hexadecimal string.
Oh. So I can send the password across the net in plain text, but I do at least have the ability to encrypt the password in the database (because I can re-encrypt the plaintext one in Rack::Auth::Basic to check it against.) Or I can have it encrypted across the net, but because Rack::Auth::Digest::MD5 needs a plaintext password I have to keep the passwords in clear text in the database.
Actually you can use encrypted passwords with digests: there is a passwords_hashed property, but you only find this out by reading the source code.
You see, this is where Microsoft win. On two counts:
- Although many more lines of code are needed to implement authentication in a WCF service (check this compared to this), it is at least documented.
- Although you can’t do digest authentication with WCF properly, in most cases I would be running on IIS and use Windows security, and I wouldn’t need to handle authentication at all in my application. When a user leaves, the sysadmin just disables their Windows login. That’s it.
