List, Do you have any examples of a web service (consumer) that uses WS Single Sign On mechanism as with SAML to send credentials around? If possible (although I don't think this would be much complicated) it uses Acegi Security to allow the application a handle to the Subject, thus allowing for automatic adding of credentials on outgoing messages from the called web service..
Would be something like this (don't have experience with SAML, so the "language" or even the idea might be inaccurate) : Client Calls a Web Service and authenticates itself. Credentials are sent to back to the client and stored (somewhere. Ideally Acegi Security should have them around). Client makes a call to WebService-A. An outHandler automatically gets the Subject information (including ticket, or whatever) adds SAML Security information to the outgoing message. WebService-A' s inHandler analyzes the SAML Security Information. Based on it, it creates a Subject with all the roles defined. If WebService-A calls any other web service, the same outhandler as in the Client is used to send credentials. I was wondering this because: - I do not want passwords going around, not even if they are encrypted - I need the Subject's role information and name for business logic purposes and auditing. - I want a "pluggable" way to do it, so I don't have to code this every time I create a web service / client. Just add a jar and configure spring. Any other feedback, help, pointers, or other ways to do this are, of course, more than welcome. Regards Andres B.
