Hi,
I have been looking at the rampart security add-in for axis2 and I have some
concerns.
Let's just take UserNameToken for example.
If I set my service to require a UserNameToken digest as follows:
<parameter name="InflowSecurity">
<action>
<items>UsernameToken</items>
<passwordCallbackClass>myCBHandler</passwordCallbackClass>
</action>
</parameter>
At runtime my service's callback will be passed the invoking user's name
(pulled from the SOAP Header). It is my understanding that the callback should
return the user's password at which time rampart can recreate the digest and
compare it against the digest that was passed by the invoking client. Is this
correct? If so I do not know any real world security system that will allow a
service to obtain a clear text password. I do not think it is plausible for a
service to obtain such information.
I was really hoping that rampart would do something like Websphere. If I
configure a web service in Websphere to require a UserNameToken, it will handle
the entire authentication process (based on the configured
AuthenticationProvider) and only call into the web service implementation
operation if authentication is successful. At that point, the web service can
get the authenticated user principal out of the ServiceEndpointContext and
perform authorizations based on that principal.
Service's really are really not going to want to perform their own
authentication processing. They will want to leverage this value from the
container.
Please comment.
Thanks.
Tony Dean
SAS Institute Inc.
919.531.6704
[EMAIL PROTECTED]
SAS... The Power to Know
http://www.sas.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
