AW: Authenticating SOAP Messages

Wed, 28 Nov 2001 00:39:37 -0800 

You can use HTTP authentication, see the following client code snippet: 
 
    SOAPHTTPConnection connection = new SOAPHTTPConnection();
        connection.setMaintainSession( true );
 
        connection.setUserName("user");
        connection.setPassword("password");
  
        call.setSOAPTransport(connection);

On server side you must chose BASIC authentication for the RPCRouterServlet
context. In the web.xml it looks like this:
 
    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/servlet/rpcrouter</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
      </auth-constraint>
    </security-constraint>
 
    <!-- Default login configuration uses BASIC authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Example Basic Authentication Area</realm-name>
    </login-config>

And, of course you have to define the user, password and role somewhere -
this depends on the container. In tomcat using the default realm you put
this into the tomcat-users.xml. In Weblogic (using the default weblogic
realm) you put this in the weblogic.properties.
 
Hope this helps.
Peter
 

-----Urspr�ngliche Nachricht-----
Von: P Sreenivasa Rao [mailto:[EMAIL PROTECTED]]
Gesendet am: Mittwoch, 28. November 2001 21:38
An: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Betreff: Authenticating SOAP Messages

Hi all,
 
In our application, we are able to send the SOAP requests and responses.
But how can I authorise those requests.In our normal scenario, we
authenticate the user with pin/password and then he'll access the authorised
functions.But in this SOAP scenario,whatever request comes, without
authentication, should I  allow them to get the response.
One condition I'm assuming is allowing for only registered IP addresses.But
this may not be a feasible one.
 
Can you please suggest any existing mechanisms to do this.I've to implement
this in our application. 
 
Thanks in advance,
 
Sreenivas P,
CMC Ltd,
Hyderbad,
India

Reply via email to