Question

Encrypted webservice authentication

2

It seems that Mendix webservices has to be called with plain text user data. That implicates that the client that calls the web service the user password has to store in plain text. Is there a way to configure a webservice for encrypted password receiving? A work-around could be to provide the password as a String parameter on the web service and do the checks by myself. But it isn't a nice one..

asked 2012-03-29

Herbert Vuijk

1 answers

Sebastiaan van den Broek · Accepted Answer · 2012-03-30

For all intents and purposes encrypting the password client-side would be meaningless, 'cause then you would be able to login with the encrypted password as if it were an unencrypted password (and the server would have to encrypt your encrypted string again to not store a 'plain' password in its database). Just the fact the password would look like some encrypted string instead of something readable doesn't make it safer.

What exactly are you afraid of? Someone reading the model being able to read the password? Or someone snooping your traffic? The latter you could circumvent by using https.