Let me try to answer your question with my understanding your scenario.
You have a set of ESBs and you can authenticate users at those EBSs using any of the mechanisms Dimuthu explained. Now in situations where one ESB has to talk to another *on behalf of* one of its users that ESB can authenticate itself to the other ESB and carry out the work. In this case each ESB will have their own credentials in the form of username/password pairs or certificates. And the communicating ESBs will have to trust each other by recognizing those credentials.
HTH Thanks, Ruchith Jens Goldhammer wrote:
Hello Dimuthu, thanks for your good explanations!Which of these possibilities are valuable to have a cross-domain-authentification? With rampart I always have to distribute new certificates to all participating domains, or I am completly wrong? Do you think the third possiblity works with wso2 esb? Should I give it a try? Is there a running bigger example for using rahas except sample05 in rampart-distribution or any documentation for it?Thanks, Jens Dimuthu Leelarathne schrieb:Hi Jens, On Mon, 2008-02-04 at 18:42 +0530, Asankha C. Perera wrote:Hi JensMy ideas are to inject some user values in the soap-message (username and password) and encrypt the soap-message. The esb will take these values and proofs it by using the wso2 usermanager.As I understand you need to authenticate users using username/password. This can be done in several ways as follows. 1) Using http basic authentication over SSL 2) Using Username Token over SSL 3) Using an encrypted Username Token. Implementation details of the above techniques can be described as follows. First method ============ First approach is the easiest to implement and sufficient for most situations. You can write a simple Java POJO class at the service to authenticate users by calling usermanager. If you want a more efficient approach you can implement a custom mediator with a caching technique which uses usermanager to perform authentication. This is how you write a custom mediator [1] This is how you read the http authentication headers [2] Second method ============= This is a WS-Security policy based approach. Rampart is used for injecting and authenticating the Username Token. The security policy needed for this is available in the Rampart distribution[3]. The sample is samples/policy/sample01 in the Rampart distribution. Third method ============ This is a WS-Security policy based approach. Here you have to use Asymmetric Binding and use UsernameToken as a supporting token. We don't have a sample for this yet. But you can look at the Rampart samples and read the WS policy specification for this. Links [1]http://wso2.org/library/2898[2]http://www.mail-archive.com/[EMAIL PROTECTED]/msg00065.html [3]http://www.apache.org/dyn/mirrors/mirrors.cgi/ws/rampart/1_3/rampart-1.3.zipThank you, DimuthuSure, this is possible with a custom mediator or a simple Java POJO class that calls into the usermanager library. You could also use WS-Security without coding using a WS-Security policy. I am copying Dimuthu from the usermanager/Rampart team so she could point you in the correct direction. We have some samples that shows how WS-Sec can be used with policies (http://wso2.org/project/esb/java/1.6/docs/ESB_Samples.html)After a successfull authentification I have to indicate that they other esbs and services itself don´t need to proof it again. I don´t want to make a new authentification at all intermediate stations, so in my eyes a flag in the soap message to say "Already authenticated"is enough, or?If this is totally within your intranet, I guess this should be enough. You could also use https to secure the messages over the wireI have to write an own mediation than, right? Or is there a solution out of the box?Well you could use the Header mediator to add a custom SOAP header to a message(http://wso2.org/project/esb/java/1.6/docs/ESB_Configuration_Language.html) You could also use a custom extension mediator if you like, but this doesn't seem necessaryWhat´s about the identity solution? Does it fit to myrequirements? Any other ideas in general for doing that?If you want to call into the user manager library and add the custom header both at once etc. writing a custom mediator may be ok asankha_______________________________________________ Esb-java-user mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user_______________________________________________ Esb-java-user mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Esb-java-user mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user
