Why not use HTTP Authentication? If that is not good for you, you could include user/password in the parameter list for each SOAP method, and authenticate within the method. Either way, of course, you would be best off using SSL so that the password in encrypted.
Scott ----- Original Message ----- From: "Christian Geuer-Pollmann" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, November 28, 2001 4:26 AM Subject: Re: Authenticating SOAP Messages > > > In our application, we are able to send the SOAP requests and responses. > > But how can I authorise those requests.In our normal scenario, we > > authenticate the user with pin/password and then he'll access the > > authorised functions.But in this SOAP scenario,whatever request comes, > > without authentication, should I allow them to get the response. One > > condition I'm assuming is allowing for only registered IP addresses.But > > this may not be a feasible one. > > > > Can you please suggest any existing mechanisms to do this.I've to > > implement this in our application. > > Maybe you can use the Apache XML Security package [1] for creating SOAP > Signatures using XML Signature. Whether digital signatures inside the SOAP > msg do meet the goal depends on your security requirements. > > Christian > > > > [1] http://xml.apache.org/security/
