You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Shantanu Sen <ss...@pacbell.net> on 2004/01/09 21:58:31 UTC
question regarding WSDL and WS-Security
Please point me to the correct forum if you know where
I should post this question.
As far as I know, currently there is no extension in
WSDL for WS-Security. In other words, looking at a
WSDL there is no way to figure out if the service
expects security information as specified in
WS-Security in the header/body of the SOAP envelope.
If this is true, how does a client know how to send
the correct SOAP message to the service i.e. how does
it know to add the required security info?
Thanks for any info regarding this.
Shantanu Sen
Re: question regarding WSDL and WS-Security
Posted by Ricky Ho <ri...@cisco.com>.
Here is what I'm thinking ...
WSDL Binding have some extensibility that you can declare which part to
encrypt. But I probably will go with another route, describe as follows ...
There is a WSDL and WS-Policy, which part to be encrypted will be described
in the WS-Policy.
The communication path will look like ...
ClientApp -> ClientSideGateway -> Network -> ServerSideGateway -> ServerApp
ClientApp & ServerApp - cares only WSDL
ClientSideGateway & ServerSideGateway - cares only WS-Policy
Rgds, Ricky
At 01:30 PM 1/9/2004 -0800, Shantanu Sen wrote:
>Suppose I have a method that I want to expose as a
>web-service. I can generate a WSDL that describes the
>service end-point, format etc. Supppose I expect that
>one or more parameters of this method will be
>encrypted , and my service will also return an
>encrypted string which I expect the client to decrypt.
>
>
>How would I go about describing this to the client?
>Clearly, I need to supply something more than a WSDL
>document to the client. Even if the client has an
>underlying infrastructure (e.g. a security gateway) it
>needs some sort of information. Does WS-Policy provide
> that?
>
>Thanks,
>Shantanu Sen
>--- Ricky Ho <ri...@cisco.com> wrote:
> > There is a nice separation between application
> > processing and
> > infrastructure processing. WSDL describes the
> > former and WS-Policy
> > describe the later.
> >
> > If you are writing application code, you shouldn't
> > care about WS-Policy
> > (and WS-Security), you only care about WSDL. The
> > underlying infrastructure
> > (e.g. a security gateway) should take care about
> > this for you.
> >
> > However, it you are writing the intermediary code
> > doing infrastructrure
> > processing, then you shouldn't care about WSDL.
> > Instead you should deal
> > with WS-Policy which is a less mature area (you
> > probably need to do some
> > proprietary policy exchange handshaking).
> >
> > Rgds, Ricky
> >
> > At 12:58 PM 1/9/2004 -0800, Shantanu Sen wrote:
> > >Please point me to the correct forum if you know
> > where
> > >I should post this question.
> > >
> > >As far as I know, currently there is no extension
> > in
> > >WSDL for WS-Security. In other words, looking at a
> > >WSDL there is no way to figure out if the service
> > >expects security information as specified in
> > >WS-Security in the header/body of the SOAP
> > envelope.
> > >
> > >If this is true, how does a client know how to send
> > >the correct SOAP message to the service i.e. how
> > does
> > >it know to add the required security info?
> > >
> > >Thanks for any info regarding this.
> > >
> > >Shantanu Sen
> >
Re: question regarding WSDL and WS-Security
Posted by Shantanu Sen <ss...@pacbell.net>.
Suppose I have a method that I want to expose as a
web-service. I can generate a WSDL that describes the
service end-point, format etc. Supppose I expect that
one or more parameters of this method will be
encrypted , and my service will also return an
encrypted string which I expect the client to decrypt.
How would I go about describing this to the client?
Clearly, I need to supply something more than a WSDL
document to the client. Even if the client has an
underlying infrastructure (e.g. a security gateway) it
needs some sort of information. Does WS-Policy provide
that?
Thanks,
Shantanu Sen
--- Ricky Ho <ri...@cisco.com> wrote:
> There is a nice separation between application
> processing and
> infrastructure processing. WSDL describes the
> former and WS-Policy
> describe the later.
>
> If you are writing application code, you shouldn't
> care about WS-Policy
> (and WS-Security), you only care about WSDL. The
> underlying infrastructure
> (e.g. a security gateway) should take care about
> this for you.
>
> However, it you are writing the intermediary code
> doing infrastructrure
> processing, then you shouldn't care about WSDL.
> Instead you should deal
> with WS-Policy which is a less mature area (you
> probably need to do some
> proprietary policy exchange handshaking).
>
> Rgds, Ricky
>
> At 12:58 PM 1/9/2004 -0800, Shantanu Sen wrote:
> >Please point me to the correct forum if you know
> where
> >I should post this question.
> >
> >As far as I know, currently there is no extension
> in
> >WSDL for WS-Security. In other words, looking at a
> >WSDL there is no way to figure out if the service
> >expects security information as specified in
> >WS-Security in the header/body of the SOAP
> envelope.
> >
> >If this is true, how does a client know how to send
> >the correct SOAP message to the service i.e. how
> does
> >it know to add the required security info?
> >
> >Thanks for any info regarding this.
> >
> >Shantanu Sen
>
Re: question regarding WSDL and WS-Security
Posted by Ricky Ho <ri...@cisco.com>.
There is a nice separation between application processing and
infrastructure processing. WSDL describes the former and WS-Policy
describe the later.
If you are writing application code, you shouldn't care about WS-Policy
(and WS-Security), you only care about WSDL. The underlying infrastructure
(e.g. a security gateway) should take care about this for you.
However, it you are writing the intermediary code doing infrastructrure
processing, then you shouldn't care about WSDL. Instead you should deal
with WS-Policy which is a less mature area (you probably need to do some
proprietary policy exchange handshaking).
Rgds, Ricky
At 12:58 PM 1/9/2004 -0800, Shantanu Sen wrote:
>Please point me to the correct forum if you know where
>I should post this question.
>
>As far as I know, currently there is no extension in
>WSDL for WS-Security. In other words, looking at a
>WSDL there is no way to figure out if the service
>expects security information as specified in
>WS-Security in the header/body of the SOAP envelope.
>
>If this is true, how does a client know how to send
>the correct SOAP message to the service i.e. how does
>it know to add the required security info?
>
>Thanks for any info regarding this.
>
>Shantanu Sen