Hi all, 2007/9/6, Alex Boisvert <[EMAIL PROTECTED]>: > I've just added experimental support for HTTP authentication in the > 1.1branch [...] > I've taken the simple approach of passing a extra message part to carry the > authentication credentials. Using partnerLinks or some other form of > extension would be cleaner but would have required additional > infrastructure. I'd be curious if other developers have feedback on which > approach we should adopt for security in general. My sense is that we need > way to abstract security protocol concerns out of the BPEL whenever > possible. Yes, I agree. Introducing an extra message part for credentials is IMHO quite a hack. Since BPEL itself actually deals only with the abstract part of WSDL, endpoint releated information should not be part of the process model and therefore also not necessarily part of the message payload. I think the deployment descriptor would be more suitable, alternatively or additionally the user credentials could be placed in the service-ref element to be copied into a partnerLink. This could be either some proprietary stuff or based on WS-Addressing/WS-Policy.
What do you guys think on that? Cheers, Tammo PS: I moved that message from user to dev
