You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-user@ws.apache.org by Bill Binole <bi...@Attachmate.com> on 2001/01/10 00:24:36 UTC
Access control
Has anyone given any thought to access control of SOAP services? Something
I need to be able to do, but before I take off on my own figured I would
query the oracle of knowledge :-)
Bill
Re: Access control
Posted by George I Matkovits <ma...@uswest.net>.
I posted a version almost 5 months ago as part of SecureSoap and I have been
working on an updated version (SSL is just a very, very small part of the Soap
Security Solution. I wish more people would understand this! ) I will repost
AFTER 2.1 ships and I can make the changes to the new base (the proposed
solution is also UUDI compliant.) . It is a very big job because the problem is
not just building the server's Access Control List automatically. There must be
a secure way of getting the client's credentials to the server (Just a
Certificate is not sufficient, UDDI requires a password.) The server's ACL
entries must be also built automatically from the client provided credentials.
Using PKI for any of this is also a long term encryption suicide, since PKI is
almost 1000 times slower then symmetric key encryption. IMHO I have solved most
of the problems but it will have to go through another simplification cycle
before reposting. The only additional software required would be Sun's JCE jars.
Regards - George
p.s Would anyone like to help? (-:
Bill Binole wrote:
> Has anyone given any thought to access control of SOAP services? Something
> I need to be able to do, but before I take off on my own figured I would
> query the oracle of knowledge :-)
>
> Bill
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
Re: Access control
Posted by George I Matkovits <ma...@uswest.net>.
I posted a version almost 5 months ago as part of SecureSoap and I have been
working on an updated version (SSL is just a very, very small part of the Soap
Security Solution. I wish more people would understand this! ) I will repost
AFTER 2.1 ships and I can make the changes to the new base (the proposed
solution is also UUDI compliant.) . It is a very big job because the problem is
not just building the server's Access Control List automatically. There must be
a secure way of getting the client's credentials to the server (Just a
Certificate is not sufficient, UDDI requires a password.) The server's ACL
entries must be also built automatically from the client provided credentials.
Using PKI for any of this is also a long term encryption suicide, since PKI is
almost 1000 times slower then symmetric key encryption. IMHO I have solved most
of the problems but it will have to go through another simplification cycle
before reposting. The only additional software required would be Sun's JCE jars.
Regards - George
p.s Would anyone like to help? (-:
Bill Binole wrote:
> Has anyone given any thought to access control of SOAP services? Something
> I need to be able to do, but before I take off on my own figured I would
> query the oracle of knowledge :-)
>
> Bill
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
RE: Access control
Posted by Robert Dyas <rd...@adelphia.net>.
It seems to me there are two basic options, 1) implement your own user/pass
authentication (much like logging into a web site, but via soap) or 2) use
an authentication server, so your app can rely on a service to determine
access control (kind of like a Kerberos model). The advantage of 1 is that
you don't need a separate auth server. The advantage of 2 is that it would
seem easier to scale the number of apps without having duplicate user acct
info (since it is maintained by a separate server).
I am curious if anyone else is facing this issue, and if so, what option
sounds best to them. Or maybe some other option?
-----Original Message-----
From: Bill Binole [mailto:billbi@Attachmate.com]
Sent: Tuesday, January 09, 2001 6:25 PM
To: soap-user@xml.apache.org
Subject: Access control
Has anyone given any thought to access control of SOAP services? Something
I need to be able to do, but before I take off on my own figured I would
query the oracle of knowledge :-)
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
For additional commands, email: soap-user-help@xml.apache.org
RE: Access control
Posted by Robert Dyas <rd...@adelphia.net>.
It seems to me there are two basic options, 1) implement your own user/pass
authentication (much like logging into a web site, but via soap) or 2) use
an authentication server, so your app can rely on a service to determine
access control (kind of like a Kerberos model). The advantage of 1 is that
you don't need a separate auth server. The advantage of 2 is that it would
seem easier to scale the number of apps without having duplicate user acct
info (since it is maintained by a separate server).
I am curious if anyone else is facing this issue, and if so, what option
sounds best to them. Or maybe some other option?
-----Original Message-----
From: Bill Binole [mailto:billbi@Attachmate.com]
Sent: Tuesday, January 09, 2001 6:25 PM
To: soap-user@xml.apache.org
Subject: Access control
Has anyone given any thought to access control of SOAP services? Something
I need to be able to do, but before I take off on my own figured I would
query the oracle of knowledge :-)
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
For additional commands, email: soap-user-help@xml.apache.org