You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by debest <va...@yahoo.it> on 2006/06/30 12:05:09 UTC
wsdoallreceiver
I'd like to have an axis server that can handle every type of authentication
using wss4j package and therefore wsdoallsender and wsdoallreceiver class.
I explain better: i don't want to set the action parameter in my
service.wsdd, but the wsdoallreceiver should must handle every type of
authentication.
My problem is that the httpsender.class from the client side don't send the
wshandlerconstants.action property to the other side and so the
wshandlerreceiver don't know the action that it must use for authenticate.
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5117854
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
i don't understand then if the system that i want to develop is possible and
if not what are the problems you refer to.
Make a example: on the client side i decide that i want present my
credentials with usernameToken form (username-password); the server when
receives message will try to authenticate the client with PWCallback class
comparing the pair (username- password) given by the client with the pairs
username - password that the server took from its database. if there is a
match then the client will be authenticated.
The client could want to present his digital certificate to be
authenticated. The server when receives the message takes this certificate
and compares it with the certificates it considers secure that have saved in
keystore file. If the operation is successful the client will be
authenticated, otherwise no and the web service will not accessible to
client.
But for do this i need the server knows the authentication action
(WSHandlerConstants.action) to can handle the arrived message in the right
way, and i think that this parameter could be sent from the client (that
decide the way in which be authenticated) to server so that the
WSDOALLRECEIVER class can handler the message without modifing any code line
of the class.
Now you could question why a user could want present certificate if only
username-token is necessary, but the answer is that i could give more rights
in next authorization phase to a client that has been authenticated with his
certificate (a more strict system).
i hope i has been enough clear in my explanation
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158111
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
i don't understand then if the system that i want to develop is possible and
if not what are the problems you refer to.
Make a example: on the client side i decide that i want present my
credentials with usernameToken form (username-password); the server when
receives message will try to authenticate the client with PWCallback class
comparing the pair (username- password) given by the client with the pairs
username - password that the server took from its database. if there is a
match then the client will be authenticated.
The client could want to present his digital certificate to be
authenticated. The server when receives the message takes this certificate
and compares it with the certificates it considers secure that have saved in
keystore file. If the operation is successful the client will be
authenticated, otherwise no and the web service will not accessible to
client.
But for do this i need the server knows the authentication action
(WSHandlerConstants.action) to can handle the arrived message in the right
way, and i think that this parameter could be sent from the client (that
decide the way in which be authenticated) to server so that the
WSDOALLRECEIVER class can handler the message without modifing any code line
of the class.
Now you could question why a user could want present certificate if only
username-token is necessary, but the answer is that i could give more rights
in next authorization phase to a client that has been authenticated with his
certificate (a more strict system).
i hope i has been enough clear in my explanation
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158103
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
i don't understand then if the system that i want to develop is possible and
if not what are the problems you refer to.
Make a example: on the client side i decide that i want present my
credentials with usernameToken form (username-password); the server when
receives message will try to authenticate the client with PWCallback class
comparing the pair (username- password) given by the client with the pairs
username - password that the server took from its database. if there is a
match then the client will be authenticated.
The client could want to present his digital certificate to be
authenticated. The server when receives the message takes this certificate
and compares it with the certificates it considers secure that have saved in
keystore file. If the operation is successful the client will be
authenticated, otherwise no and the web service will not accessible to
client.
But for do this i need the server knows the authentication action
(WSHandlerConstants.action) to can handle the arrived message in the right
way, and i think that this parameter could be sent from the client (that
decide the way in which be authenticated) to server so that the
WSDOALLRECEIVER class can handler the message without modifing any code line
of the class.
Now you could question why a user could want present certificate if only
username-token is necessary, but the answer is that i could give more rights
in next authorization phase to a client that has been authenticated with his
certificate (a more strict system).
i hope i has been enough clear in my explanation
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158103
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
IMHO the scenario you mentioned is supported by WS-SecurityPolicy.
And this policy will have to be published by the *service* with two
alternatives. The alternatives are to authenticate using a username
token _or_ to authenticate using the requester signature. Namely an
sp:TransportBinding with a UsernameToken or an sp:AsymmetricBinding.
IFF the service's security policy specifies those options as shown
below, the requester can decide to use either one of the
authentication modes.
Thanks,
Ruchtih
On 7/4/06, debest <va...@yahoo.it> wrote:
>
> i don't understand then if the system that i want to develop is possible and
> if not what are the problems you refer to.
> Make a example: on the client side i decide that i want present my
> credentials with usernameToken form (username-password); the server when
> receives message will try to authenticate the client with PWCallback class
> comparing the pair (username- password) given by the client with the pairs
> username - password that the server took from its database. if there is a
> match then the client will be authenticated.
> The client could want to present his digital certificate to be
> authenticated. The server when receives the message takes this certificate
> and compares it with the certificates it considers secure that have saved in
> keystore file. If the operation is successful the client will be
> authenticated, otherwise no and the web service will not accessible to
> client.
> But for do this i need the server knows the authentication action
> (WSHandlerConstants.action) to can handle the arrived message in the right
> way, and i think that this parameter could be sent from the client (that
> decide the way in which be authenticated) to server so that the
> WSDOALLRECEIVER class can handler the message without modifing any code line
> of the class.
> Now you could question why a user could want present certificate if only
> username-token is necessary, but the answer is that i could give more rights
> in next authorization phase to a client that has been authenticated with his
> certificate (a more strict system).
> i hope i has been enough clear in my explanation
> --
> View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158082
> Sent from the WSS4J forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
IMHO the scenario you mentioned is supported by WS-SecurityPolicy.
And this policy will have to be published by the *service* with two
alternatives. The alternatives are to authenticate using a username
token _or_ to authenticate using the requester signature. Namely an
sp:TransportBinding with a UsernameToken or an sp:AsymmetricBinding.
IFF the service's security policy specifies those options as shown
below, the requester can decide to use either one of the
authentication modes.
Thanks,
Ruchtih
On 7/4/06, debest <va...@yahoo.it> wrote:
>
> i don't understand then if the system that i want to develop is possible and
> if not what are the problems you refer to.
> Make a example: on the client side i decide that i want present my
> credentials with usernameToken form (username-password); the server when
> receives message will try to authenticate the client with PWCallback class
> comparing the pair (username- password) given by the client with the pairs
> username - password that the server took from its database. if there is a
> match then the client will be authenticated.
> The client could want to present his digital certificate to be
> authenticated. The server when receives the message takes this certificate
> and compares it with the certificates it considers secure that have saved in
> keystore file. If the operation is successful the client will be
> authenticated, otherwise no and the web service will not accessible to
> client.
> But for do this i need the server knows the authentication action
> (WSHandlerConstants.action) to can handle the arrived message in the right
> way, and i think that this parameter could be sent from the client (that
> decide the way in which be authenticated) to server so that the
> WSDOALLRECEIVER class can handler the message without modifing any code line
> of the class.
> Now you could question why a user could want present certificate if only
> username-token is necessary, but the answer is that i could give more rights
> in next authorization phase to a client that has been authenticated with his
> certificate (a more strict system).
> i hope i has been enough clear in my explanation
> --
> View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158082
> Sent from the WSS4J forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
i don't understand then if the system that i want to develop is possible and
if not what are the problems you refer to.
Make a example: on the client side i decide that i want present my
credentials with usernameToken form (username-password); the server when
receives message will try to authenticate the client with PWCallback class
comparing the pair (username- password) given by the client with the pairs
username - password that the server took from its database. if there is a
match then the client will be authenticated.
The client could want to present his digital certificate to be
authenticated. The server when receives the message takes this certificate
and compares it with the certificates it considers secure that have saved in
keystore file. If the operation is successful the client will be
authenticated, otherwise no and the web service will not accessible to
client.
But for do this i need the server knows the authentication action
(WSHandlerConstants.action) to can handle the arrived message in the right
way, and i think that this parameter could be sent from the client (that
decide the way in which be authenticated) to server so that the
WSDOALLRECEIVER class can handler the message without modifing any code line
of the class.
Now you could question why a user could want present certificate if only
username-token is necessary, but the answer is that i could give more rights
in next authorization phase to a client that has been authenticated with his
certificate (a more strict system).
i hope i has been enough clear in my explanation
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158082
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
i don't understand then if the system that i want to develop is possible and
if not what are the problems you refer to.
Make a example: on the client side i decide that i want present my
credentials with usernameToken form (username-password); the server when
receives message will try to authenticate the client with PWCallback class
comparing the pair (username- password) given by the client with the pairs
username - password that the server took from its database. if there is a
match then the client will be authenticated.
The client could want to present his digital certificate to be
authenticated. The server when receives the message takes this certificate
and compares it with the certificates it considers secure that have saved in
keystore file. If the operation is successful the client will be
authenticated, otherwise no and the web service will not accessible to
client.
But for do this i need the server knows the authentication action
(WSHandlerConstants.action) to can handle the arrived message in the right
way, and i think that this parameter could be sent from the client (that
decide the way in which be authenticated) to server so that the
WSDOALLRECEIVER class can handler the message without modifing any code line
of the class.
Now you could question why a user could want present certificate if only
username-token is necessary, but the answer is that i could give more rights
in next authorization phase to a client that has been authenticated with his
certificate (a more strict system).
i hope i has been enough clear in my explanation
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158098
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
i don't understand then if the system that i want to develop is possible and
if not what are the problems you refer to.
Make a example: on the client side i decide that i want present my
credentials with usernameToken form (username-password); the server when
receives message will try to authenticate the client with PWCallback class
comparing the pair (username- password) given by the client with the pairs
username - password that the server took from its database. if there is a
match then the client will be authenticated.
The client could want to present his digital certificate to be
authenticated. The server when receives the message takes this certificate
and compares it with the certificates it considers secure that have saved in
keystore file. If the operation is successful the client will be
authenticated, otherwise no and the web service will not accessible to
client.
But for do this i need the server knows the authentication action
(WSHandlerConstants.action) to can handle the arrived message in the right
way, and i think that this parameter could be sent from the client (that
decide the way in which be authenticated) to server so that the
WSDOALLRECEIVER class can handler the message without modifing any code line
of the class.
Now you could question why a user could want present certificate if only
username-token is necessary, but the answer is that i could give more rights
in next authorization phase to a client that has been authenticated with his
certificate (a more strict system).
i hope i has been enough clear in my explanation
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158111
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
i don't understand then if the system that i want to develop is possible and
if not what are the problems you refer to.
Make a example: on the client side i decide that i want present my
credentials with usernameToken form (username-password); the server when
receives message will try to authenticate the client with PWCallback class
comparing the pair (username- password) given by the client with the pairs
username - password that the server took from its database. if there is a
match then the client will be authenticated.
The client could want to present his digital certificate to be
authenticated. The server when receives the message takes this certificate
and compares it with the certificates it considers secure that have saved in
keystore file. If the operation is successful the client will be
authenticated, otherwise no and the web service will not accessible to
client.
But for do this i need the server knows the authentication action
(WSHandlerConstants.action) to can handle the arrived message in the right
way, and i think that this parameter could be sent from the client (that
decide the way in which be authenticated) to server so that the
WSDOALLRECEIVER class can handler the message without modifing any code line
of the class.
Now you could question why a user could want present certificate if only
username-token is necessary, but the answer is that i could give more rights
in next authorization phase to a client that has been authenticated with his
certificate (a more strict system).
i hope i has been enough clear in my explanation
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158098
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
i don't understand then if the system that i want to develop is possible and
if not what are the problems you refer to.
Make a example: on the client side i decide that i want present my
credentials with usernameToken form (username-password); the server when
receives message will try to authenticate the client with PWCallback class
comparing the pair (username- password) given by the client with the pairs
username - password that the server took from its database. if there is a
match then the client will be authenticated.
The client could want to present his digital certificate to be
authenticated. The server when receives the message takes this certificate
and compares it with the certificates it considers secure that have saved in
keystore file. If the operation is successful the client will be
authenticated, otherwise no and the web service will not accessible to
client.
But for do this i need the server knows the authentication action
(WSHandlerConstants.action) to can handle the arrived message in the right
way, and i think that this parameter could be sent from the client (that
decide the way in which be authenticated) to server so that the
WSDOALLRECEIVER class can handler the message without modifing any code line
of the class.
Now you could question why a user could want present certificate if only
username-token is necessary, but the answer is that i could give more rights
in next authorization phase to a client that has been authenticated with his
certificate (a more strict system).
i hope i has been enough clear in my explanation
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5158082
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by Werner Dittmann <We...@t-online.de>.
Robert,
you are right if the server can control the security, e.g. using a security
policy. We have done some preparations to implement the WS Security Policy
as soon as it becomes a bit more stable. Using WSP it shall be possible
to define a policy at the server that may define several ways to authenticate
or to use encryption.
The concern I raised was that the server must have the "last word" about the
security policy and/or the security actions.
Regards,
Werner
Robert Maier wrote:
> Hi,
>
> I don't see this as a dangerous practice as long as you can specify to
> the server what to allow and what not (i.e. a security policy). If the
> client tries to force the server to communicate insecurely and the
> server does not accept that I don't really see the problem. SSL cipher
> negotiations jump to mind as reference.
>
> I am interested too in a way to make the server side a bit more flexible
> so that it recognizes/understands the security mechanism that has been
> used to protect the incoming message. The choice of whether the service
> should be accessible using a certain security mechanism should be left
> to another "module".
>
> My 2 cents,
> Robert.
>
> On 7/1/06, *Werner Dittmann* <Werner.Dittmann@t-online.de
> <ma...@t-online.de>> wrote:
>
> Well, having the client to decide which way to authenticate would be
> dangerous and
> a big security hole. The server has to be in charge and needs to decide
> how to authenticate. If you require different ways of authentication I
> would propose to setup different SOAP ports (service ports) with
> different names.
>
> Regards,
> Werner
>
>
> debest wrote:
> > but my prerequisite is that i must allow client to authenticate in
> the way it
> > wants (es. with usernametoken, with certificate, ecc.). therefore
> i can't
> > provide parameter in my WSDD file because in this way i can only
> set one
> > authenticate method and so others are precluded.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> <ma...@ws.apache.org>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by Werner Dittmann <We...@t-online.de>.
Robert,
you are right if the server can control the security, e.g. using a security
policy. We have done some preparations to implement the WS Security Policy
as soon as it becomes a bit more stable. Using WSP it shall be possible
to define a policy at the server that may define several ways to authenticate
or to use encryption.
The concern I raised was that the server must have the "last word" about the
security policy and/or the security actions.
Regards,
Werner
Robert Maier wrote:
> Hi,
>
> I don't see this as a dangerous practice as long as you can specify to
> the server what to allow and what not (i.e. a security policy). If the
> client tries to force the server to communicate insecurely and the
> server does not accept that I don't really see the problem. SSL cipher
> negotiations jump to mind as reference.
>
> I am interested too in a way to make the server side a bit more flexible
> so that it recognizes/understands the security mechanism that has been
> used to protect the incoming message. The choice of whether the service
> should be accessible using a certain security mechanism should be left
> to another "module".
>
> My 2 cents,
> Robert.
>
> On 7/1/06, *Werner Dittmann* <Werner.Dittmann@t-online.de
> <ma...@t-online.de>> wrote:
>
> Well, having the client to decide which way to authenticate would be
> dangerous and
> a big security hole. The server has to be in charge and needs to decide
> how to authenticate. If you require different ways of authentication I
> would propose to setup different SOAP ports (service ports) with
> different names.
>
> Regards,
> Werner
>
>
> debest wrote:
> > but my prerequisite is that i must allow client to authenticate in
> the way it
> > wants (es. with usernametoken, with certificate, ecc.). therefore
> i can't
> > provide parameter in my WSDD file because in this way i can only
> set one
> > authenticate method and so others are precluded.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> <ma...@ws.apache.org>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by Robert Maier <ro...@gmail.com>.
Hi,
I don't see this as a dangerous practice as long as you can specify to the
server what to allow and what not (i.e. a security policy). If the client
tries to force the server to communicate insecurely and the server does not
accept that I don't really see the problem. SSL cipher negotiations jump to
mind as reference.
I am interested too in a way to make the server side a bit more flexible so
that it recognizes/understands the security mechanism that has been used to
protect the incoming message. The choice of whether the service should be
accessible using a certain security mechanism should be left to another
"module".
My 2 cents,
Robert.
On 7/1/06, Werner Dittmann <We...@t-online.de> wrote:
>
> Well, having the client to decide which way to authenticate would be
> dangerous and
> a big security hole. The server has to be in charge and needs to decide
> how to authenticate. If you require different ways of authentication I
> would propose to setup different SOAP ports (service ports) with different
> names.
>
> Regards,
> Werner
>
>
> debest wrote:
> > but my prerequisite is that i must allow client to authenticate in the
> way it
> > wants (es. with usernametoken, with certificate, ecc.). therefore i
> can't
> > provide parameter in my WSDD file because in this way i can only set one
> > authenticate method and so others are precluded.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: AW: AW: wsdoallreceiver
Posted by Robert Maier <ro...@gmail.com>.
Hi,
I don't see this as a dangerous practice as long as you can specify to the
server what to allow and what not (i.e. a security policy). If the client
tries to force the server to communicate insecurely and the server does not
accept that I don't really see the problem. SSL cipher negotiations jump to
mind as reference.
I am interested too in a way to make the server side a bit more flexible so
that it recognizes/understands the security mechanism that has been used to
protect the incoming message. The choice of whether the service should be
accessible using a certain security mechanism should be left to another
"module".
My 2 cents,
Robert.
On 7/1/06, Werner Dittmann <We...@t-online.de> wrote:
>
> Well, having the client to decide which way to authenticate would be
> dangerous and
> a big security hole. The server has to be in charge and needs to decide
> how to authenticate. If you require different ways of authentication I
> would propose to setup different SOAP ports (service ports) with different
> names.
>
> Regards,
> Werner
>
>
> debest wrote:
> > but my prerequisite is that i must allow client to authenticate in the
> way it
> > wants (es. with usernametoken, with certificate, ecc.). therefore i
> can't
> > provide parameter in my WSDD file because in this way i can only set one
> > authenticate method and so others are precluded.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: AW: AW: wsdoallreceiver
Posted by Werner Dittmann <We...@t-online.de>.
Well, having the client to decide which way to authenticate would be dangerous and
a big security hole. The server has to be in charge and needs to decide
how to authenticate. If you require different ways of authentication I
would propose to setup different SOAP ports (service ports) with different names.
Regards,
Werner
debest wrote:
> but my prerequisite is that i must allow client to authenticate in the way it
> wants (es. with usernametoken, with certificate, ecc.). therefore i can't
> provide parameter in my WSDD file because in this way i can only set one
> authenticate method and so others are precluded.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by Werner Dittmann <We...@t-online.de>.
Well, having the client to decide which way to authenticate would be dangerous and
a big security hole. The server has to be in charge and needs to decide
how to authenticate. If you require different ways of authentication I
would propose to setup different SOAP ports (service ports) with different names.
Regards,
Werner
debest wrote:
> but my prerequisite is that i must allow client to authenticate in the way it
> wants (es. with usernametoken, with certificate, ecc.). therefore i can't
> provide parameter in my WSDD file because in this way i can only set one
> authenticate method and so others are precluded.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
but my prerequisite is that i must allow client to authenticate in the way it
wants (es. with usernametoken, with certificate, ecc.). therefore i can't
provide parameter in my WSDD file because in this way i can only set one
authenticate method and so others are precluded.
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5122610
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
but my prerequisite is that i must allow client to authenticate in the way it
wants (es. with usernametoken, with certificate, ecc.). therefore i can't
provide parameter in my WSDD file because in this way i can only set one
authenticate method and so others are precluded.
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5122610
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
in the WSDoAllReceiver class there is this code part:
if ((action = (String) getOption(WSHandlerConstants.ACTION)) == null) {
action=(String)
msgContext.getProperty(WSHandlerConstants.ACTION);
if the action parameter does not specify in service.wsdd file, the action
parameter is taken from the msgContext in the WSHandlerConstants.ACTION
property. This property is not sent directly over the wire by the HTTPSender
class.
Is there some way to pass this parameter to the server side?
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5119479
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: AW: wsdoallreceiver
Posted by debest <va...@yahoo.it>.
in the WSDoAllReceiver class there is this code part:
if ((action = (String) getOption(WSHandlerConstants.ACTION)) == null) {
action=(String)
msgContext.getProperty(WSHandlerConstants.ACTION);
if the action parameter does not specify in service.wsdd file, the action
parameter is taken from the msgContext in the WSHandlerConstants.ACTION
property. This property is not sent directly over the wire by the HTTPSender
class.
Is there some way to pass this parameter to the server side?
--
View this message in context: http://www.nabble.com/wsdoallreceiver-tf1872359.html#a5119479
Sent from the WSS4J forum at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org