No question is silly or bad.
CXF itself provides no single sign-on capabilities, though one could
certainly try to implement one over CXF.
The challenge is to do it in a way that provides reasonable assurance
and protection from replay and man-in-the-middle attacks. The naive
approach is to grant the client a "cookie" in virtue of a login
event, and then for the client to present that cookie as "evidence"
of its identity. This way, the client is just using an opaque token
in lieu of otherwise sensitive security information. (I presume this
is what you mean by "single sign-on"). To do this, you need to lock
down your communications channels, presumably in your case, using
SSL. And you need to ensure that the dispensed cookies can't be
stolen or hijacked. That's a lot of trust you need to place in how
you deploy your infrastructure, and it only gets you so far.
The more compelling solution (IMO) is to use SSO technologies that
are already out there, such as Kerberos (which is arguably the most
deployed SSO solution going). But I'm guessing that's not what
you're after.
-Fred
On Sep 12, 2007, at 9:04 AM, Davide Gesino wrote:
Hi,
may be a silly or bad question but....
there is a way to have a single sign on mechanism in CXF (in WS in
general)
or I have to check the user credentials each time for each message?
There is a way to estabilish something similar to the Http Session
between
WS client and server?!?
In my app I have CXF deployed on Tomcat and the transport is Http.
David
--
View this message in context: http://www.nabble.com/WS-Security-
Single-Sign-On-tf4429137.html#a12634942
Sent from the cxf-user mailing list archive at Nabble.com.
