Hi,
Some help is rquired with the following problem:
I have an application on a OpenVMS system that is used by different regional
offices, where all use the same executables, but the data is completely
separated. If a person logs in, the OS will know which scripts to execute to
setup the right paths to the data, and the application will then be able to
check the authorisations of that user. If the user uses the application, he
will only have access - by this setup - to the data of his regional office.
It happens that a .NET application will access the data by a SOAP-based
webservice. This application is used by the same regional offices that use
the OpenVMS application, and will access only the data of that office. Only
users of the .NET application that are authorized will be allowed access -
be it anyone within a deparetment, or a specific user. In some cases, data
can just be accessed if requested from a certain desk only.
This authorization is set within the dataset on the VMS machine and
maintained on that system only (for security reasons).
That means that the webservice needs to be able to set the right access
paths to the data, in order to check access by that user, on a
request-by-request basis, because, IIRC, SOAP:Header can contain
authentication information, and this can be specified in some structure. So
my idea is to use a structure in the SOAP:header, since it is required for
each and every request.
An example:
I'm working at the ICT department, and logged in on PC at the infodesk of
region 9999. I need to get information on the financial details of client
with code 123456.
The ,NET application will build up a SOAP message containing my login
information (in the header) and the requested information in the body:
<SOAP:header>
<authentication>
<region>9999</region>
<department>ITC</department>
<desk>infodesk</desk>
<username>Grooters</username>
</authentication>
</SOAP:Header>
<SOAP:Body>
<clientid>123456</clientid>
</SOAP:Body>
and sends it to tehet webservice, method "getFinancialDetails"
The method would normally get the clientid from AXIS, but it needs the
header information as well, to be able to:
1 Set the right access paths to the data (<region>)
2 Authorize the request (against the data of region 9999) (<department>,
<desk> and <username>
3 If authorized, access the data of the client (<clientid>)
The problem is that it seems that I have no access to the header information
when I need it: in the service itself. How can this be solved - with this
info in the SOAP Header - not moved to the body (I'm stuck to this
structure)
Disclaimer:
The information contained in this E-mail and its attachments is confidential
and may be legally privileged. It is intended solely for the use of the
individual or entity to whom it is addressed and others authorized to
receive it. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
of the contents of this E-mail and any attachments is strictly prohibited
and may be unlawful. The CIP or ISC is neither liable for the proper and
complete transmission of the information contained in this E-mail and any
attachments nor for any delay in its receipt. If received in error, please
contact The CIP or ISC on +31(0)522 722222 quoting the name of the sender
and the addressee and then delete it from your system. Please note that the
The CIP or ISC does not accept any responsibility for viruses and it is your
responsibility to scan the E-mail and attachments (if any). No contracts may
be concluded on behalf of The CIP or ISC by means of E-mail communications.
