In general, I think you should steer away from passing credentials in each and every method. A good design pattern is to authenticate your end user using some 'security service' that, if authentication succeeds, would produce a token that would be passed in the header of your SOAP messages. Standards that comform to this pattern include SAML and Kerberos. WS-Security, though you mentioned it is not to your liking, has a SAML profile for incorporating SAML tokens into a SOAP header. This might be of interest to you if you can overcome your objections to WS-Security.
If your Web service is implemented in Java, you may want to consider the J2SDK implementation of the Generic Security Services Application Program Interface (GSS-API), which is defined in RFC 2853. See http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/index.html for more information.
There is not today, nor probably ever, a one-size-fits-all solution for securing Web services, but these are some good options.
Mick
-----Original Message-----
From: Sharam Fouladgar-Mercer [mailto:[EMAIL PROTECTED]]
Sent: Thu 11/18/2004 1:58 PM
To: [EMAIL PROTECTED]
Subject: Authorizing users in Axis
Hi,
As an Axis newbie, I am trying to figure out how to authorize users who
should be accessing a certain method of my Web Service. Are there any
standards out there that I should follow? Other than using the
components of WS-Security (which are too new for my liking), I can only
think of passing the username and password as parameters in the method,
but that is not a standard either I believe (I would be using SSL over
HTTP so it would be secure).
Any ideas?
Thanks,
Sharam
| E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. |
