SOAP application level authentication - how?!?
2 posts in topic
Flat View  Flat View
Older Post First |   Reply to Topic
TOPIC ACTIONS:
 

Posted By:   davout_davout
Posted On:   Tuesday, February 12, 2002 05:49 AM

I'm trying to design my first web services based application, and to that end I've been looking at both Apache 'SOAP 2.2' and 'Axis'. For this application I will have to implement an application level authentication scheme where the end user has to connect/login before they can use any of the web services (i.e. there will be a app level authentication web service that is part of the app level web services). Looking at the various docs and online resources I can't seem to get a straight answer on how best to implement application level authentication within Java based web services. My original plan had been to have the end user connect/login to the app web services, and for the application authen   More>>

I'm trying to design my first web services based application, and to that
end I've been looking at both Apache 'SOAP 2.2' and 'Axis'.

For this application I will have to implement an application level
authentication scheme where the end user has to connect/login before they can use any of the web services (i.e. there will be a app level authentication
web service that is part of the app level web services).

Looking at the various docs and online resources I can't seem to get a straight answer on how best to implement application level authentication within Java based web services.

My original plan had been to have the end user connect/login to the app web
services, and for the application authentication web service to return some form of ID token. For all subsequent soap calls the end user would include this token in the SOAP message header. Each web service method would as a first step check for the presence and validity of this header based ID token.

I couldn't employ this technique with Soap 2.2 as the latter doesn't give
the Java class access to the soap message. Does Axis solve this problem?

Can anybody help me out with some ideas on how to implement app level
authentication?

The options appear to be...

* Including authentication ID's as part of the soap message
* Making the first parameter in each soap class method an authentication ID
* What else?

TIA,

.... davout

P.S. my end product has to be compatible across all mainstream app servers,
so I can't use a proprietary Apache solution.

   <<Less
Report | Quote This | Send private message | Reply | Print

Re: SOAP application level authentication - how?!?

Posted By:   Keith_Rieck  
Posted On:   Tuesday, February 26, 2002 01:21 PM

You could use Basic Authentication with Apache SOAP. You could send the username and password for every method call, so you wouldn't need the token or separate login method.

The username and password are set on a
Call's transport object:



Call call = new Call (  );
call.setTargetObjectURI(SERVICE_NAMESPACE);
call.setMethodName(method);
call.setEncodingStyleURI(Constants.NS_URI_SOAP_ENC);
call.setParams (params);

SOAPHTTPConnection transport =  new SOAPHTTPConnection();
transport.setUserName(_userName);
transport.setPassword(_password);
call.setSOAPTransport(transport);

Response resp = call.invoke(new URL(_serviceUrl), soapAction);

Report | Quote This | Send private message | Reply | Print

Re: SOAP application level authentication - how?!?

Posted By:   Joe_Pardi  
Posted On:   Wednesday, February 13, 2002 10:37 PM

I'm in the process of investigating this same issue.

From what I've read, there are a couple of ways to do it.


One new way is to embed SAML tags in your SOAP message. The SAML tags just specify the security credentials of the user. On the server side, the SAML tags are parsed and used to authenticate and authorize the user and the action to perform.


I believe server-side software will emerge very quickly to do precisely what I've described above. You shouldn't have to write this code. Netegrity makes a new product called TransactionMinder that will protect and authenitcate users against their LDAP Policy store.



This subject needs more research and exploration. Not many people address it since it's the not-so-pretty aspect of Web Services.
Report | Quote This | Send private message | Reply | Print
About | Sitemap | Contact