I've used a custom header that incorporates some of the WS-Security markup for sending a binary token. As far as I can tell, WS-Security just defines syntax and semantics of security information in a SOAP message. So you can do it all yourself, though there can be a lot to it. No doubt the WSS4J project, in Apache, will be useful in providing framework support for adding and processing such headers but I think you're on your own for now.
So I have a client handler that adds a header something like:
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="urn:ourSecurity">s9unTw9...KHT</wsse:BinarySecurityToken>
</wsse:Security>
</soapenv:Header>
And a server handler reads the header and checks authorisation. There's nothing magical about it, though this is a fairly basic use of WS-Security, using only one token type, one encoding type, one value type and no signing or encryption (other than Base64). However, I only need a fairly low level of security for internal use.
Tony
"Lyndon Tiu" <[EMAIL PROTECTED]> wrote on 29/11/2004 21:51:10:
> Hello,
>
> Anyone here ever used custom soap headers for authentication purposes?
>
> How about WS-Security (Axis-WSSE)?
>
> Any tips and suggestions and comments about how well these work and how
> effective these are?
>
> Thanks.
>
> --
> Lyndon Tiu
>
- Custom headers for authentication? Lyndon Tiu
- tony . q . weddle
