Hi Christian,
We also have something similar going
on. Our application exposes APIs and we don't want our clients to go
through a log-in page if they are valid users.
There is something known as
pre-authentication but require a lot of prerequisites. Here's a link to
it
- Is there such
concept of user/password authentication in interoperable SOAP/WSDL,
apart from putting a "user", "password" parameters to my WS
interface's methods? How about HTTP headers?
I think you meant SOAP Headers. If that's the
case then both Java and .NET client can interpret and take actions against
the SOAP header
- Does Axis
support this? I saw the note in the docs about the "sister
project"?
I think so but I not very
sure.
- Any other way
we could use to achieve this transparent (and secure) transport of user
credentials that are .NET/Axis compatible?
Yes, SOAP
headers can do justice.
I hope that
helps.
Sunil
Kothari
DISCLAIMER:
Any Information contained or transmitted in this e-mail and / or
attachments may contain confidential data, proprietary to Majoris Systems
Pvt Ltd., and / or the authors of the information and is intended for use
only by the individual or entity to which it is addressed. If you are not
the intended recipient or email appears to have been sent to you by error,
you are not authorised to access, read, disclose, copy, use or otherwise
deal with it. If you have received this e-mail in error, please notify us
immediately at mail to:
[EMAIL PROTECTED] and delete this
mail from your records.
This is to notify that Majoris Systems Pvt Limited shall have no
liability or obligation, legal or otherwise, for any errors, omissions,
viruses or computer problems experienced as a result of this transmission
since data over the public Internet cannot be guaranteed to be secure or
error-free.
-----
Original Message -----
Sent:
Tuesday, February 08, 2005 7:18 PM
Subject:
WS Authentication & Authorization
Hi all,
I am working
on a project that will expose a WS for B2B (u-uh buzzword here). The
server-side (our side) is Axis/Java, and the client side will be .NET
(developed by another company).
Our company
already has a security framework in place, where incoming HTTP requests,
from outside to internal secured portals and web sites, are intercepted in
a DMZ. The user is forced to authenticate himself, and the FW makes
sure he has the right to access the destination site
(authorization).
We would like
to reuse this framework for the WS project, where incoming
WS/HTTP(S) requests will be intercepted, the tool will "somehow" get the
user/password, authenticate & authorize the user, then forward the
request to the destination WS. Since is A2A/B2B, it is not possible
to show a login page. So the credentials must be transported along
with the SOAP request to our WS methods.
My
questions:
- Is there such
concept of user/password authentication in interoperable SOAP/WSDL,
apart from putting a "user", "password" parameters to my WS
interface's methods? How about HTTP headers?
- Does Axis
support this? I saw the note in the docs about the "sister
project"?
- Any other way
we could use to achieve this transparent (and secure) transport of user
credentials that are .NET/Axis compatible?
Any help,
pointers and links are appreciated.
Best
regards,
Christian
Faucher
"Ce message
est confidentiel, a l'usage exclusif du destinataire ci-dessus et son
contenu ne represente en aucun cas un engagement de la part de AXA, sauf
en cas de stipulation expresse et par ecrit de la part de AXA. Toute
publication, utilisation ou diffusion, meme partielle, doit etre autorisee
prealablement. Si vous n'etes pas destinataire de ce message, merci d'en
avertir immediatement l'expediteur."
"This e-mail message is
confidential, for the exclusive use of the addressee and its contents
shall not constitute a commitment by AXA, except as otherwise specifically
provided in writing by AXA. Any unauthorized disclosure, use or
dissemination, either whole or partial, is prohibited. If you are not the
intended recipient of the message, please notify the sender
immediately."