Hi all,
I am working on a
project that will expose a WS for B2B (u-uh buzzword here). The
server-side (our side) is Axis/Java, and the client side will be .NET (developed
by another company).
Our company already
has a security framework in place, where incoming HTTP requests, from outside to
internal secured portals and web sites, are intercepted in a DMZ. The user
is forced to authenticate himself, and the FW makes sure he has the right to
access the destination site (authorization).
We would like to
reuse this framework for the WS project, where incoming WS/HTTP(S)
requests will be intercepted, the tool will "somehow" get the user/password,
authenticate & authorize the user, then forward the request to the
destination WS. Since is A2A/B2B, it is not possible to show a login
page. So the credentials must be transported along with the SOAP request
to our WS methods.
My
questions:
- Is there such concept of user/password authentication in interoperable SOAP/WSDL, apart from putting a "user", "password" parameters to my WS interface's methods? How about HTTP headers?
- Does Axis support this? I saw the note in the docs about the "sister project"?
- Any other way we could use to achieve this transparent (and secure) transport of user credentials that are .NET/Axis compatible?
Any help, pointers
and links are appreciated.
Best
regards,
Christian
Faucher
"Ce message est confidentiel, a l'usage exclusif du destinataire ci-dessus et son contenu ne represente en aucun cas un engagement de la part de AXA, sauf en cas de stipulation expresse et par ecrit de la part de AXA. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur."
"This e-mail message is confidential, for the exclusive use of the addressee and its contents shall not constitute a commitment by AXA, except as otherwise specifically provided in writing by AXA. Any unauthorized disclosure, use or dissemination, either whole or partial, is prohibited. If you are not the intended recipient of the message, please notify the sender immediately."
"This e-mail message is confidential, for the exclusive use of the addressee and its contents shall not constitute a commitment by AXA, except as otherwise specifically provided in writing by AXA. Any unauthorized disclosure, use or dissemination, either whole or partial, is prohibited. If you are not the intended recipient of the message, please notify the sender immediately."
