I wonder why SSL isn't an option? We've been very successful in getting SSL to working with Hessian using client certificate authentication. I've also added a servlet filter to pre-process Hessian requests to so I can restrict access based on method names. Suggestion, perhaps you could use Hessian to serialize a javax.crypto.SealedObject. ________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Ferguson Sent: Monday, June 11, 2007 12:52 PM To: Serge Merzliakov Cc: [email protected] Subject: Re: [Hessian-interest] Securing Hessian messages On Jun 4, 2007, at 10:46 PM, Serge Merzliakov wrote: As a newcomer, I don't know much about Hessian (my day job requires WS-Security, SOAP and the orthodox SOA stack...) but I have got the samples working and like the simplicity very much. Are there any plans to encrypt messages or some other message level security (this excludes SSL) ? I know this strays into the WS-Security space (and we don't wan't to reinvent the WS-* wheel) but it would be a compelling argument for serious evaluation in most firms considering SOA. I've added this as a bug report as: http://bugs.caucho.com/view.php?id=1793 I'd need to take a look to see if it's possible to add that kind of capability without increasing the complexity. -- Scott
_______________________________________________ hessian-interest mailing list [email protected] http://maillist.caucho.com/mailman/listinfo/hessian-interest
