I have never really messed with authenticated web services at all so not sure what to say..
I'll take a look through that though, thanks carlos jesse On 4/30/07, Carlos Sanchez <[EMAIL PROTECTED]> wrote:
I don't think you need to handle the authentication part in the continuum code, nor need to create tokens,... If you use standard Digest authentication the password is encrypted, and if you tie that with https then it's completely secure. Acegi uses a filter to process all the requests and populate the auth info or return the standard http codes if user not authenticated http://www.acegisecurity.org/docbook/acegi.html#digest On 4/30/07, Jesse McConnell <[EMAIL PROTECTED]> wrote: > I am hoping to get a couple of authn and authz web services running in > redback this week, once I finish up the role profile refactor and > clean up, I want to wack out a webservice and then start getting > continuum integrated to using the new redback setup. > > sounds like that would work perfectly for this xml-rpc stuff in continuum. > > rahul, planning on using xfire until the apache CXF stuff gets it > first release out of the incubator...that sound good? > > jesse > > On 4/30/07, Emmanuel Venisse <[EMAIL PROTECTED]> wrote: > > Maybe, but I can't find it. > > > > Emmanuel > > > > Rahul Thakur a écrit : > > > I thought there was something similar to this that exists in Redback? > > > > > > Rahul > > > > > > ----- Original Message ----- From: "Emmanuel Venisse" > > > <[EMAIL PROTECTED]> > > > To: <continuum-dev@maven.apache.org> > > > Sent: Saturday, April 28, 2007 12:37 AM > > > Subject: Re: XML RPC security > > > > > > > > >> I think it's best solution. With a token, we don't have login/password > > >> over the network for each request. > > >> > > >> XmlRpcService > > >> String login( username, password ) //return a token > > >> { > > >> tokenManager.login( username, password ); > > >> } > > >> > > >> Object method1( token, params ) //null token for guest user or a > > >> getGuestToken() method that will return it > > >> { > > >> User user = tokenManager.getUser( token ); > > >> ... > > >> } > > >> Object method2( token, params ) > > >> { > > >> ... > > >> } > > >> > > >> TokenManager > > >> String login( username, password ); //return a token > > >> User getUser( token ) > > >> > > >> The TokenManager can be a plexus component with a default > > >> implementation for redback. > > >> wdyt? > > >> > > >> Emmanuel > > >> > > >> Emmanuel Venisse a écrit : > > >>> Hey guys, > > >>> > > >>> Some quick notes on the security for XML RPC interface. This is what I > > >>> am thinking... > > >>> > > >>> Have an AuthenticatedXmlRpcService component that services the xml rpc > > >>> requests. The first request from a client to the service is a request > > >>> for authentication. A successful authentication returns an > > >>> authentication Token, which is passed along with subsequent requests by > > >>> the client. A Token can go stale (configurable time period?) if there > > >>> were not requests detected for it. Also, we could have a service that > > >>> answers any polling requests and keeps a Token 'alive'. > > >>> > > >>> Thoughts? > > >>> > > >>> Rahul > > >>> > > >>> > > >>> > > >>> > > >> > > > > > > > > > > > > > > > > > > > -- > jesse mcconnell > [EMAIL PROTECTED] > -- I could give you my word as a Spaniard. No good. I've known too many Spaniards. -- The Princess Bride
-- jesse mcconnell [EMAIL PROTECTED]
