On 9/7/07, Dan Kearns <[EMAIL PROTECTED]> wrote: > > 2007/9/6, Alex Boisvert <[EMAIL PROTECTED]>: > > I've just added experimental support for HTTP authentication in the > > 1.1branch > On 9/6/07, Tammo van Lessen < [EMAIL PROTECTED]> wrote: > > > > Yes, I agree. Introducing an extra message part for credentials is > > IMHO quite a hack. Since BPEL itself actually deals only with the > > abstract part of WSDL > > > It isn't a hack, it's the obvious way to create a process which actively > operates on credentials or other assertions, yet allows the implementor of > the wsdl binding layer to turn those assertions into some useful behavior. > Most times, it is just a convenient circumstance that the same wsdl port > type can be used both for a process and for the (for example) Axis service > sitting in front of it.
Well, it is a header that's only applicable to some protocol, so it's no longer utilizing the WSDL protocol abstraction, it fixes the abstract message usage to the actual protocol bindings. And you need as many of these as there are authentication protocols. And it is holding on to username/password, one of which might change before the process completes. The proper way would be to add an authentication context that's separate from the message definition, but can be carried across operations, and let the protocol binding deal with mapping it to the details of each protocol. I don't think extending PartnerLink is enough, that would only allow you to always authenticate as the same subject against the same service. It's quite common to expect authorization to change, e.g. depending on who started the process. Assaf Which of these are you trying to support? > - http basic auth used as authorization gate before passing a message to a > process > - http basic auth used to bootstrap an implicit security context (eg jaas) > for receiving the message > - http basic auth used to bootstrap an implicit security context for the > entire process > - http basic auth used to implement the binding for a username token > mentioned in the wsdl message, to be used by the process elsewhere, eg > sending a message later > - Make an Ode-centric axis-enabled distro, where you configure axis > indirectly via Ode > > -d >
