Secured authentication in web service?

If your service is point to point, ssl is enough. Mutual ssl (Mutual_authentication) is widely used for client authN and authZ. If you concert about performance of system, looking at SAML.

SAML is a signed XML document that contains authN and authZ for client, that means you do not need to loop up on the server for client authN and authZ.

My system is end-to-end solution. At the client side there may be many users using a same computer, each with different privileges. So I think "log in" method should be provided to client even though it's rarely mentioned over the Internet.

– longbkit Aug 5 at 14:58.

Your scenario mirrors that of EBay Trading API's. (developer.ebay.com/DevZone/xml/docs/Refe...) Basically, it works as follow. Provide a intial WS call (Ebay case: FetchToken) which confirms user's identity and return back authorization key (unique key for each logged in user).

Store the authorization key along with user profile information in a cache/distributed cache . Any subsequent call required client to pass the authorization key along with the data for the call. You will use the authorization key to get user profile information.

Provide the log out WS call. This invalidates the authorization key. All the WS invocations should happen over SSL for security.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.