OASIS WS-Security defines a standard SOAP header for passing security tokens. The spec isn't final, yet, but it's pretty close. You can use WS-Security to pass any type of security token. The spec defines binding for many different types of tokens, including SAML, Kerberos, X.509, XCBF, and more. See http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss.
Axis can support WS-Security headers, although I don't think anyone has developed and contributed an Axis SOAP header processor for it. (Any volunteers?) Anne ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 5:16 AM Subject: RE: Newbie question on Usage and design style > Wilfred, > > Thank you for the prompt reply. I hope to generate a healthy debate on the > issue and see whether I am crossing the limits of interoperation. > > Does SOAP, UDDI, WSDL in their present and proposed form attempt to address > this issue about authentication? What are the best practices around this, > supposing that one wants to maintain interoperation? One solution may be to > maintain the underlying HTTP session (but that is something beyond the specs > in WSDL) and again may break interop. > > Hope for guidance from experienced people in the list. > > Regards, > > Santosh > > -----Original Message----- > From: Wilfred Springer [mailto:[EMAIL PROTECTED] > Sent: Friday, June 20, 2003 9:31 AM > To: [EMAIL PROTECTED] > Subject: Re: Newbie question on Usage and design style > > > > We are considering of introducing axis based web services, as an interop > > solution for the interface into our product. We already have well > > established Authentication and Authorisation services delivered via CORBA, > I > > wanted to utilise the same and introduce a concept of a token for every > > successful user of our web services (still in the conceptualization > phase). > > This smells like SAML. > > > > > Some sites suggested of introducing SOAP Headers in the WSDL. Does AXIS > > support this feature of a token in the request header. How do I access it > in > > an end point? Is it too much of a demand on web services? > > If your ultimate goal is interoperability, then you'd better steer clear > from introducing proprietary headers. > > -- > ________________________________________________________________ > Wilfred Springer Phone : +31 (0)3 3451 5736 > Java Architect Mobile : +31 (0)6 2295 7321 > Sun Java Center Fax : +31 (0)3 3451 5734 > Sun Microsystems Netherlands Mail : [EMAIL PROTECTED] >
