Authentication in Web services security
The authentication process determines whether that client is valid in a particular context. A client can be an end user, a machine, or an application.
The purpose of authentication is to gather all of the required information to uniquely identify a user. Generally, this information includes a user name for identification, and a password to verify that identity.
To secure a Web service you can add a stand alone security token (SAST) to ensure the authenticity of the service. For more information on Web services security and how to implement a SAST using WebSphere® Application Server Toolkit, refer to the stand alone security token wizard task, referenced below in the related links section. This wizard takes you through the necessary steps to execute one of the primary forms of authentication, which involves sending a user token to the Web service server. The server extracts the user name and password from the token and verifies that the user name and password combination is valid, and only then will the server accept and process the message. This form of identity assertion is known as basic authentication.
Security risks of Web services with no authentication
Without authentication, any end user has the ability to send messages and have them accepted and processed by the server. The major security threat for unauthenticated Web services is known as spoofing. If a Web service has no authentication, an attacker has the opportunity to send modified SOAP messages to the service provider. These messages could be used to access confidential information or issue commands to a server (such as withdrawing money from an account in the case of a banking system).
Related concepts
Confidentiality in Web Services Security
Integrity in Web services security