I'm not sure which authentication method I should use for my web service. I searched for SO and did not find anything that helped me.
Preliminary
Creating an application that downloads data from a local database to a server (my web service works), where all records are combined and stored in a central database. I am currently binary serializing DataTable, which contains a small fragment of a local database where all uninteresting things are already filtered out. Then byte[](the serialized DataTable), together with the user ID and the password hash of the user, is loaded into the webservice via SOAP. The application, along with the web service, is already working exactly as intended.
Problem
The problem I’m thinking about right now is this: what if someone just sniffs the network traffic, steals the user ID and password hash, sends his own SOAP message with the changed data that corrupts my database?
Small update: don't be misunderstood: I'm not worried about syntax / validation. All the data entering the web service, of course, is checked, and I intensively tested it. I meant that “attackers can semantically corrupt a database”: for example. the user can only edit his submitted entries. An attacker can take advantage of this fact and disguise himself as some user and edit his downloaded data.
, .
, , :
- ssl + :
- ssl, . , , -, - . : // , . , ssl - .
byte[]:- :
()
, , ?
, ?
, , ?
? SOAP?
. . .
!