Return-Path: Delivered-To: apmail-ws-axis-user-archive@www.apache.org Received: (qmail 49539 invoked from network); 29 Oct 2004 17:05:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 29 Oct 2004 17:05:16 -0000 Received: (qmail 10033 invoked by uid 500); 29 Oct 2004 17:05:01 -0000 Delivered-To: apmail-ws-axis-user-archive@ws.apache.org Received: (qmail 10003 invoked by uid 500); 29 Oct 2004 17:05:01 -0000 Mailing-List: contact axis-user-help@ws.apache.org; run by ezmlm Precedence: bulk Reply-To: axis-user@ws.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list axis-user@ws.apache.org Received: (qmail 9992 invoked by uid 99); 29 Oct 2004 17:05:01 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [216.168.230.140] (HELO omr4.netsolmail.com) (216.168.230.140) by apache.org (qpsmtpd/0.28) with ESMTP; Fri, 29 Oct 2004 10:04:56 -0700 Received: from ms7.netsolmail.com (IDENT:mirapoint@ms7.netsolmail.com [216.168.230.174] (may be forged)) by omr4.netsolmail.com (8.12.10/8.12.10) with ESMTP id i9TH4eoq003643 for ; Fri, 29 Oct 2004 13:04:53 -0400 (EDT) Received: from gmichalopoulos (ip67-153-70-18.z70-153-67.customer.algx.net [67.153.70.18]) by ms7.netsolmail.com (Mirapoint Messaging Server MOS 3.2.2-GA) with ESMTP id CNY58062; Fri, 29 Oct 2004 13:04:39 -0400 (EDT) Message-Id: <200410291704.CNY58062@ms7.netsolmail.com> From: "Greg Michalopoulos" To: Subject: RE: adding security to webservices in axis Date: Fri, 29 Oct 2004 13:04:34 -0400 Organization: D2Hawkeye MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <8E787F62D4FF3E4FA9E9621A86C62C9F7208FF@skyline.sra.com> Thread-Index: AcS8ygOdKsCcBqkzQCCI2DxawGqwowA94tYgAAXcpeA= X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Check out wss4j from Apache (http://ws.apache.org/ws-fx/wss4j/). This is an implementation of the WS-Security spec. Documentation is a little weak at this point in time, but I was about to use the UsernameToken in the SOAP header and a password callback class to authenticate a user making a request. The spec outlines ways to encrypt and sign SOAP messages as well. Greg -----Original Message----- From: Wagle, Shriniwas [mailto:Shriniwas_Wagle@sra.com] Sent: Friday, October 29, 2004 10:23 AM To: axis-user@ws.apache.org Subject: RE: adding security to webservices in axis We implemented security at the transport level using SSL with client-authentication. The good thing about this is the web services code does not have to deal with security related aspects at all. It works well, and in a predictable manner. We had a binary level of security - either a client can invoke the web service or not. We didn't have tiered security or diff levels of authorization. Having to deal with that will complicate this solution. The negative aspect is the overhead in managing all the certs and keys floating around and ensuring the security policy is well understood and adhered to. The latest JAX RPC comes with message level security. You might want to explore that but I believe the standardization in that area is not yet complete. So not sure about the level of interoperability needs on your project and the impact of using something non-standard. -----Original Message----- From: Marco Mistroni [mailto:mmistroni@waersystems.com] Sent: Thursday, October 28, 2004 4:43 AM To: axis-user@ws.apache.org Subject: adding security to webservices in axis Hello all, I have a question for axis mailing list.. I would like to add security to my axis webservice, and I am looking For tips.. What I want to avoid is to going and modify the web.xml in tomcat for adding Users.... I am sure that there is at least someone on this list which came across This problem... Any hints will be appreciated... Thanks in advance and regards marco