Consider authentication of your web service to be like a door on your house. It needs to be wide enough to allow people to enter, but only if they've knocked first. Getting away from the cutesy analogies, authentication is the process of making sure that the person who is asking to use the web service is really the person that they claim to be. This is done by requiring the user (also known as the "principal") to provide a set of credentials. In return, they will receive a security token that can be used to access the server.

The credentials usually take the form of a user id and password. However, what is really required is everything necessary to uniquely identify the user. For example, in our sample web service, we require that a company code be supplied along with the user id and password. The reason for this additional information is that the data we use to rate a shipment is different for each company.
On the other hand, the security token that is returned is usually more conceptual than physical. It can take the form of a cookie placed on their browser, a session id stored on the serveror an actual string of characters. For our application, we are using a 33-character character string. The reason for our choice will be detailed later in this article. And before we get to that, let's look at the tools that are available to assist with the authentication process.