axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sunil Kothari" <sunil.koth...@majoris.com>
Subject Re: WS Authentication & Authorization
Date Wed, 09 Feb 2005 14:51:41 GMT
MessageHi Christian,
  We also have something similar going on.  Our application exposes APIs and we don't want
our clients to go through a log-in page if they are valid users. 

There is something known as  pre-authentication but require a lot of prerequisites. Here's
a link to it
http://weblogs.asp.net/feroze_daud/archive/2004/07/12/180856.aspx

  a.. Is there such concept of user/password authentication in interoperable SOAP/WSDL, apart
from putting a "user", "password" parameters to my WS interface's methods?  How about HTTP
headers? 
I think you meant SOAP Headers. If that's the case then both Java and .NET client can interpret
and take actions against the SOAP header
  a.. Does Axis support this?  I saw the note in the docs about the "sister project"?
I think so but I not very sure. 
  a.. Any other way we could use to achieve this transparent (and secure) transport of user
credentials that are .NET/Axis compatible?
Yes, SOAP headers can do justice. 

I hope that helps.
Sunil Kothari



DISCLAIMER: 

Any Information contained or transmitted in this e-mail and / or attachments may contain confidential
data, proprietary to Majoris Systems Pvt Ltd., and / or the authors of the information and
is intended for use only by the individual or entity to which it is addressed. If you are
not the intended recipient or email appears to have been sent to you by error, you are not
authorised to access, read, disclose, copy, use or otherwise deal with it. If you have received
this e-mail in error, please notify us immediately at mail to: sysadmin@majoris.com and delete
this mail from your records.

This is to notify that Majoris Systems Pvt Limited shall have no liability or obligation,
legal or otherwise, for any errors, omissions, viruses or computer problems experienced as
a result of this transmission since data over the public Internet cannot be guaranteed to
be secure or error-free. 


  ----- Original Message ----- 
  From: Faucher, Christian 
  To: axis-user@ws.apache.org 
  Sent: Tuesday, February 08, 2005 7:18 PM
  Subject: WS Authentication & Authorization


  Hi all, 

  I am working on a project that will expose a WS for B2B (u-uh buzzword here).  The server-side
(our side) is Axis/Java, and the client side will be .NET (developed by another company).

  Our company already has a security framework in place, where incoming HTTP requests, from
outside to internal secured portals and web sites, are intercepted in a DMZ.  The user is
forced to authenticate himself, and the FW makes sure he has the right to access the destination
site (authorization).

  We would like to reuse this framework for the WS project, where incoming  WS/HTTP(S) requests
will be intercepted, the tool will "somehow" get the user/password, authenticate & authorize
the user, then forward the request to the destination WS.  Since is A2A/B2B, it is not possible
to show a login page.  So the credentials must be transported along with the SOAP request
to our WS methods.

  My questions:
    a.. Is there such concept of user/password authentication in interoperable SOAP/WSDL,
apart from putting a "user", "password" parameters to my WS interface's methods?  How about
HTTP headers? 
    b.. Does Axis support this?  I saw the note in the docs about the "sister project"? 
    c.. Any other way we could use to achieve this transparent (and secure) transport of user
credentials that are .NET/Axis compatible?
  Any help, pointers and links are appreciated.

  Best regards,

  Christian Faucher

------------------------------------------------------------------------------

  "Ce message est confidentiel, a l'usage exclusif du destinataire ci-dessus et son contenu
ne represente en aucun cas un engagement de la part de AXA, sauf en cas de stipulation expresse
et par ecrit de la part de AXA. Toute publication, utilisation ou diffusion, meme partielle,
doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en
avertir immediatement l'expediteur."

  "This e-mail message is confidential, for the exclusive use of the addressee and its contents
shall not constitute a commitment by AXA, except as otherwise specifically provided in writing
by AXA. Any unauthorized disclosure, use or dissemination, either whole or partial, is prohibited.
If you are not the intended recipient of the message, please notify the sender immediately."


Mime
View raw message