Tom Chiverton wrote:
means that I have to add this token parameter to *every*
webservice method. This is not acceptable, as I want (in fact, my
customer wants) my services to be free of such things. Authorization
should be transparent (but flexible). Then again I could have one big
thing, ServiceLocator or something like that, so that
It can't be transparent and work.
Somewhere along the line (no matter if HTTP basic or digest, token based, ...)
your client will have to do something.
Maybe I put myself wrong. What I thought of is to have some kind of
proxy layer, managing ws authorization.
WS-Security standard and my serverside (xfire) provides something like
that (attaching filters to webservices, that are launched before actual
webservice method, checking credentials and so on). But I don't have
such thing (pack SOAP call into WS-Security standard) in client - and I
miss that. By "transparent" I mean, that my actual webservice method
looks as its just POJO, so, let's say "getObjectByID(int id)" does not
translate into something like "getObjectByID(Token token, int id)".
I'm just asking about how much control do I have about what Flex sends
(with SOAP) to actual webservice? Can I put additional things into soap
body/header? Could webservice AS3 class be extended to allow that?
Dave Wolf wrote :
What is wrong with standard J2EE security constraints? Place a
security constraint on the URI of the web service. You can then use
either FORM or BASIC auth for your Flex application as a whole an the
web service calls will inherit those credentials.
Could you explain this a bit more? I'm afraid, I don't know what you are
suggesting.
--
| Sebastian Zarzycki / rat[tkin]
| [EMAIL PROTECTED]
| i'm a little lost in this postmodern space
| gg:#2692696 / icq:#264185739 irc :#tool #ot-oa / skype:rattkin
