First, you will distribute your server's public key; and then, SOAP clientes will have to encrypt XML using that public key just before sending the msg on the wire (see w3 XML Sign and Encryption spec).
On the client side, put name/password info in the SOAP header. Then encrypt the XML and send it.
On the server side, you could write an Axis handler than receives de encrypted XML and decrypts it. If something is not OK, you can just ignore the request.
You can implement this using apache XML Security Suite. There are some examples on web, I can't remember the urls.
If you distribute your public key to ONLY allowed clients (and you trust they will not redistribute it without your authorization) you can just made them sign the message. So, you will not need authentication, there is no need for sendind username/password, but it's limited (you loose confidenciality and anyone who can obtain your server's public key can dispatch operations)
Regards,
Jon Blower wrote:
Dear Axis users,
I would like to add a very basic level of security to my Web Service. I would like users to be authenticated by simply including a username and password in the SOAP message when calling the Web Service.
What's the easiest way of encrypting the username/password so it can't be decrypted if someone intercepts the SOAP message? I don't need a solution with maximum security - the authentication is basically to keep track of who's using the Web Service and to provide different levels of access to different users. The Web Service in question involves significant server load, so the security is just intended to prevent unauthenticated users submitting requests that will hold up the server.
I have even considered sending the username/password unencrypted, but ideally I would like a bit more security than this if it's not hard to implement. Only the username/password part of the message would have to be encrypted.
I've looked on the Web for appropriate toolkits/APIs but haven't been able to track down an obvious solution.
Thanks in advance for any help or advice,
Jon
