The W3C WS-Arch team recommends passing security tokens in a SOAP header. I (and many others) view this approach as the best practice. The OASIS WS-Security Technical Committee is the group that is developing the formal standards for this purpose. As I said in my previous message, the WS-Security Core spec is not yet final, but it's close. A number of vendors supply products that provide preliminary support for WS-Security. Platforms include Systinet WASP (www.systinet.com), IBM ETTK (http://www.alphaworks.ibm.com/tech/ettk), and Microsoft WSE (http://msdn.microsoft.com/webservices/building/wse/default.aspx). Add-on security products include Westbridge and Vordel.
You can use HTTP authentication, but you run into interop problems. Some products (e.g., Axis) support HTTP Basic, while others (e.g., .NET) support HTTP Digest. Also, it can be quite challenging to rely on transport-based authentication if your message is routed through multiple hops. Anne ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 8:42 AM Subject: RE: Newbie question on Usage and design style > Dear AXIS Users, or may be developers like Tom, architects like Sam, > > Please need your views on this. > > Regards, > > Santosh > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, June 20, 2003 10:16 AM > To: [EMAIL PROTECTED] > Subject: RE: Newbie question on Usage and design style > > > Wilfred, > > Thank you for the prompt reply. I hope to generate a healthy debate on the > issue and see whether I am crossing the limits of interoperation. > > Does SOAP, UDDI, WSDL in their present and proposed form attempt to address > this issue about authentication? What are the best practices around this, > supposing that one wants to maintain interoperation? One solution may be to > maintain the underlying HTTP session (but that is something beyond the specs > in WSDL) and again may break interop. > > Hope for guidance from experienced people in the list. > > Regards, > > Santosh > > -----Original Message----- > From: Wilfred Springer [mailto:[EMAIL PROTECTED] > Sent: Friday, June 20, 2003 9:31 AM > To: [EMAIL PROTECTED] > Subject: Re: Newbie question on Usage and design style > > > > We are considering of introducing axis based web services, as an interop > > solution for the interface into our product. We already have well > > established Authentication and Authorisation services delivered via CORBA, > I > > wanted to utilise the same and introduce a concept of a token for every > > successful user of our web services (still in the conceptualization > phase). > > This smells like SAML. > > > > > Some sites suggested of introducing SOAP Headers in the WSDL. Does AXIS > > support this feature of a token in the request header. How do I access it > in > > an end point? Is it too much of a demand on web services? > > If your ultimate goal is interoperability, then you'd better steer clear > from introducing proprietary headers. > > -- > ________________________________________________________________ > Wilfred Springer Phone : +31 (0)3 3451 5736 > Java Architect Mobile : +31 (0)6 2295 7321 > Sun Java Center Fax : +31 (0)3 3451 5734 > Sun Microsystems Netherlands Mail : [EMAIL PROTECTED] >
