You are viewing a plain text version of this content. The canonical link for it is here.

Posted to soap-dev@ws.apache.org by "Nelson, Christopher" <cn...@synchrony.net> on 2000/10/18 22:18:03 UTC

Authentication sample code (was re:Authentication)

I am using the SOAP headers for authentication, since this seemed to be a
suggested way to do authentication according to the SOAP spec.  I created an
interface called HeaderProcessor which contains a single method used to pass
the headers into the target object.  I added some code to RPCRouterServlet
to call this method as follows:

      // if it's a header processor, give it the header
      if (targetObject instanceof HeaderProcessor)
        ((HeaderProcessor) targetObject).processHeader (call.getHeader());

In the client, I add header entries for a username and password.  On the
server, in targetObject I extract the username and password from the header
and throw an exception if the login failed.  I'm attaching the code, as I
promised earlier.  I hope this will spark useful discussion.  In this week's
IRC meeting, Glen Daniels also said he would try to post his work which
would allow for adding header processors which would also be a logical way
to do the security check of the header.  But since I need something to give
our customers now, I did something simple which works.  We're also using the
SSL code George posted so that the security infomation is encrypted in
route.

Attached is:
1) RPCRouter servlet with the change.  
2) HeaderProcessor interface
3) buildAuthHeader.txt which contains sample code of building an auth header
on the client and consuming on the server.

Feedback and comments are welcome.

-----Original Message-----
From: Jeff_Saremi@manulife.com [mailto:Jeff_Saremi@manulife.com]
Sent: Wednesday, October 18, 2000 10:20 AM
To: soap-dev@xml.apache.org
Subject: Authentication


Could anyone tell me how SOAP handles the WWW authentication being
requested by the web server? Is there any mechanism to ask the user for the
name and password or get them from a config file? Is there any specific
excpetions being thrown so the caller can get the id an password and send
the request again?

I looked at SOAP 2.0 and also SecureSoap and I didn't see anything.

Thanks

Jeff Saremi
Manulife Financial
416.926.3000 x7005
Fax: 416.926.5366
Jeff_Saremi@manulife.com