axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From babloosony <>
Subject Re: WS Authentication & Authorization
Date Tue, 08 Feb 2005 14:00:27 GMT
Hi Christian,

There are 3 types of WS Security according to WS Security
Specification. One is Authorization Token Mechanism(which is what you 
need in your case), XML Encryption and XML Signatures.

Using Authorization Token, we can set the username and password in the
web service client program (may be java or .NET) and these info will
be transmitted in SOAP Message headers which later can be validated at
the web service provider side. Though I didnt work much on it this
mechanism is well supported in most IDE's like WSAD, JDeveloper,
JBuilder etc. where in you have wizards that just smoothly allow you
do this implementation.

Thanks & Regards,

On Tue, 8 Feb 2005 08:48:20 -0500, Faucher, Christian
<> wrote:
> Hi all, 
> I am working on a project that will expose a WS for B2B (u-uh buzzword
> here).  The server-side (our side) is Axis/Java, and the client side will be
> .NET (developed by another company).
> Our company already has a security framework in place, where incoming HTTP
> requests, from outside to internal secured portals and web sites, are
> intercepted in a DMZ.  The user is forced to authenticate himself, and the
> FW makes sure he has the right to access the destination site
> (authorization).
> We would like to reuse this framework for the WS project, where incoming 
> WS/HTTP(S) requests will be intercepted, the tool will "somehow" get the
> user/password, authenticate & authorize the user, then forward the request
> to the destination WS.  Since is A2A/B2B, it is not possible to show a login
> page.  So the credentials must be transported along with the SOAP request to
> our WS methods.
> My questions:
> Is there such concept of user/password authentication in interoperable
> SOAP/WSDL, apart from putting a "user", "password" parameters to my WS
> interface's methods?  How about HTTP headers? 
> Does Axis support this?  I saw the note in the docs about the "sister
> project"? 
> Any other way we could use to achieve this transparent (and secure)
> transport of user credentials that are .NET/Axis compatible?
> Any help, pointers and links are appreciated.
> Best regards,
> Christian Faucher
> ________________________________
> "Ce message est confidentiel, a l'usage exclusif du destinataire ci-dessus
> et son contenu ne represente en aucun cas un engagement de la part de AXA,
> sauf en cas de stipulation expresse et par ecrit de la part de AXA. Toute
> publication, utilisation ou diffusion, meme partielle, doit etre autorisee
> prealablement. Si vous n'etes pas destinataire de ce message, merci d'en
> avertir immediatement l'expediteur."
> "This e-mail message is confidential, for the exclusive use of the addressee
> and its contents shall not constitute a commitment by AXA, except as
> otherwise specifically provided in writing by AXA. Any unauthorized
> disclosure, use or dissemination, either whole or partial, is prohibited. If
> you are not the intended recipient of the message, please notify the sender
> immediately."

View raw message