Webservice security - What is the best option?

I would like to secure our webserives. However I am not entirely sure how this is done. Needless to say that I am pre开发者_JS百科tty new to this. Here is what I would like to have. I would like to authenticate the user against lets say database/activedirecrtory or even a third party authentication. Now if the user is authenticated, I would like to use a token or principal (machine specific) and send that to the webservice. Is this possible? If yes, would the principle be sent out in clear text? Basically I am asking for guidance on how to implement security in webservices.

If you're using WCF, then the default is to use the wsHttpBinding, which uses WS-Security. You then get to choose how to authenticate the user. I believe the default would be Windows authentication.

Read up on HTTP Digest Authentication. If you set the highest QOP and use client nonce values, it's quite nice.

Your question is missing some really important architectural details. If you're using REST, then you must use something like HTTP Digest. You might also want to use SSL.