Hello Josef,
You mail has few questions. Let me answer those, one by one. What technology shall we use to encrypt the password in a SOAP-BOADY ? According to your description and to my knowledge the best methodology to secure SOAP body is to use message level encryption. Thus i believe "symmetric binding" based mechanism would be sufficient. You may able to specify password in header during re-authentication. But to do this you need to define your “endpoint security policy” with alternatives (i.e. to provision both username token and x509 token). Personally i haven't used 2 policy alternatives for particular service, therefore i am not sure about practical implications. Does Apache Axis2-Team run or participate on the PLUG-FEST from Microsoft and SUN where participants demonstrate theire interoperability capabilities against defined web-service servers/scenarios? We have tested Rampart against Microsoft PLUG-FEST. We also have set of test case which is used to test against Microsoft PLUG-FEST services. But personally i had issues running these test cases against Microsoft services as some of those (Microsoft Plug-Fest [1]) endpoints are not available (in recent past). E.g :- http://131.107.72.15/Security_WsSecurity_Service_Indigo/. I am not sure whether these services are hosted in some other place. I am not sure about SUN. What would be your approach / response to this Security Based Interoperability Issues? We will try our best to fix inter-operable issues but we need to make sure those fixes are compatible with basic security profile [2]. [1] http://mssoapinterop.org/ [2] http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html Thanks AmilaJ On Tue, Sep 13, 2011 at 3:41 PM, Stadelmann Josef <josef.stadelm...@axa-winterthur.ch> wrote: > Hi developers, > > We have a Axis2 and Addressing.mar on Tomcat on JDK 1.5 on OpenVMS – > > And our Web Service runs in scope="soapsession", which makes long lasting > sessions. > > We have a .NET .VB .C# WCF 3.5 WS Client communicating through a SOAP-XML > over HTTP Protocoll > > using the ServicegroupId Header to make long lasting sessions in > scope="soapsession" possible. > > All works fine and performat !!! Thanks to Axis2 and WCF 3.5 .NET > > Now we need to secure the following !!! > > Username and Password is a part of a login-request-soap-body-element > > This is no longer allowed to be transmitted un-encrypted in clear text over > the network. > > We could switch to HTTPS/SSL and the game is over !!!! > > But, we are interessted in using a more WS oriented approach and in > learning! > > Hence in this situation INTEROPERABILITY is our major issue! > > And a Tools Based Appraoch to reach that fast is another issue! > > (even time is not a killer, but we want to learn how to make faster progress > with Web Services and in particular security) > > We like to remain with Tomcat and Axis2 running on OpenVMS 8.4 and a JDK > 1.5.0 or JDK 6.0. > > What technology shall we use to encrypt the password in a SOAP-BOADY, > > maybe we like to have sort of re-authentication after some time-out later in > a SOAP-HEADER. > > We intend to use Rampart with the Axis2-Engine running our WS > > BUT > > What do we need on the Client Site to get first > > the password encrypted (Message Level Security) and > > later other sensible SOAP-HEADER/BODY-ELEMENTS > > How do this things fit together? .NET and WS-* (Security) > > Is there a good article somewhere how to achive that? > > How could WSIT from SUN (the Metro WS Stack) help us? > > Does Apache Axis2-Team run or participate on the PLUG-FEST from Microsoft > and SUN > > where participants demonstrate theire interoperability capabilities against > defined web-service servers/szenarios? > > What whould be your approach / response to this Security Based > Interoperabiliy Issues? > > And how can we best make use of NetBeans (anything that supports us) > > Thank'sfull for a Hint > > Josef --------------------------------------------------------------------- To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org For additional commands, e-mail: java-user-h...@axis.apache.org
