You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-user@ws.apache.org by "Mark A. Richman" <mr...@ispchannel.com> on 2001/01/08 00:11:30 UTC
Secure SOAP
How do I use SOAP over HTTPS? I'd like to also capture the authenticated
userid & password on the server side, possibly to pass into a web service as
a parameter.
Thanks,
Mark Richman
Re: Getting authentication information (Secure SOAP)
Posted by "Mark A. Richman" <mr...@ispchannel.com>.
Was this ever resolved?
- Mark
Shinta Tjio wrote:
>
> I'm very new to SOAP so I'm sorry if this question has been
> asked before. And I'm not necessarily using the SecureSOAP
> package George put out.
>
> How can I get the authentication information, particularly
> user ID, from inside the SOAP service?
>
> Here's the scenario I'm thinking. Let's say I'm providing
> a service called update() that will let bank clients edit
> their account information. Sure, I will do authentication
> and authorization. I will make sure that Bank Client A is
> really who he says he was (he's authenticated), I'll make
> sure that Bank Client A can call the updated() method
> (he's authorized).
>
> But how do I make sure that Bank Client A can only update
> his own account information, as supposed to updating someone
> else's account information? It seems to me, to do this,
> the update() method needs to know the authentication
> information, so that it updates the proper account.
>
> What is the supported way of doing this for SOAP services?
> Can I access call header information from the server side?
>
> thanks,
> shinta
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
Re: Getting authentication information (Secure SOAP)
Posted by "Mark A. Richman" <mr...@ispchannel.com>.
Was this ever resolved?
- Mark
Shinta Tjio wrote:
>
> I'm very new to SOAP so I'm sorry if this question has been
> asked before. And I'm not necessarily using the SecureSOAP
> package George put out.
>
> How can I get the authentication information, particularly
> user ID, from inside the SOAP service?
>
> Here's the scenario I'm thinking. Let's say I'm providing
> a service called update() that will let bank clients edit
> their account information. Sure, I will do authentication
> and authorization. I will make sure that Bank Client A is
> really who he says he was (he's authenticated), I'll make
> sure that Bank Client A can call the updated() method
> (he's authorized).
>
> But how do I make sure that Bank Client A can only update
> his own account information, as supposed to updating someone
> else's account information? It seems to me, to do this,
> the update() method needs to know the authentication
> information, so that it updates the proper account.
>
> What is the supported way of doing this for SOAP services?
> Can I access call header information from the server side?
>
> thanks,
> shinta
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
Getting authentication information (Secure SOAP)
Posted by Shinta Tjio <st...@broadjump.com>.
I'm very new to SOAP so I'm sorry if this question has been
asked before. And I'm not necessarily using the SecureSOAP
package George put out.
How can I get the authentication information, particularly
user ID, from inside the SOAP service?
Here's the scenario I'm thinking. Let's say I'm providing
a service called update() that will let bank clients edit
their account information. Sure, I will do authentication
and authorization. I will make sure that Bank Client A is
really who he says he was (he's authenticated), I'll make
sure that Bank Client A can call the updated() method
(he's authorized).
But how do I make sure that Bank Client A can only update
his own account information, as supposed to updating someone
else's account information? It seems to me, to do this,
the update() method needs to know the authentication
information, so that it updates the proper account.
What is the supported way of doing this for SOAP services?
Can I access call header information from the server side?
thanks,
shinta
RE: Secure SOAP
Posted by "Mark A. Richman" <mr...@ispchannel.com>.
I meant "recommend", as in another vendor...hopefully other than M$. Will
your implementation work with .NET?
- Mark
-----Original Message-----
From: George I Matkovits [mailto:matkovitsg@uswest.net]
Sent: Sunday, January 07, 2001 9:31 PM
To: soap-user@xml.apache.org
Subject: Re: Secure SOAP
It could but I will not have the time for sometime to come. I will have to
put
more time into Java Web Services.
Regards - George
"Mark A. Richman" wrote:
> Can you offer a suitable substitute until this is tested and released?
Will
> it work with Microsoft's implementation?
>
> Thanks,
> Mark
>
> -----Original Message-----
> From: George I Matkovits [mailto:matkovitsg@uswest.net]
> Sent: Sunday, January 07, 2001 9:23 PM
> To: soap-user@xml.apache.org
> Subject: Re: Secure SOAP
>
> I will post my SecureSoap extensions (encryption, element signature and
> Server
> side authentication and ACL list support with utility to build it)
sometime
> after the upcoming V2.1 release. The curent codebase is off the CVS tree
on
> 9/18/2000 and it almost doubles the size of that code base :-) It is fully
> UDDI
> compliant and uses headers for 'encapsulating' the security/authetication
> information. I still have to simplify the server ACL creation scripts. I
> also
> use DiffieHellmann Public Keys to create Client/Server tripleDES
encryption
> keys
> which are around 1000 faster then public keys based encryption. It was a
> huge
> job to put it together.
> Regards - George
>
> "Mark A. Richman" wrote:
>
> > How do I use SOAP over HTTPS? I'd like to also capture the
authenticated
> > userid & password on the server side, possibly to pass into a web
service
> as
> > a parameter.
> >
> > Thanks,
> > Mark Richman
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> > For additional commands, email: soap-user-help@xml.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
For additional commands, email: soap-user-help@xml.apache.org
RE: Secure SOAP
Posted by "Mark A. Richman" <mr...@ispchannel.com>.
I meant "recommend", as in another vendor...hopefully other than M$. Will
your implementation work with .NET?
- Mark
-----Original Message-----
From: George I Matkovits [mailto:matkovitsg@uswest.net]
Sent: Sunday, January 07, 2001 9:31 PM
To: soap-user@xml.apache.org
Subject: Re: Secure SOAP
It could but I will not have the time for sometime to come. I will have to
put
more time into Java Web Services.
Regards - George
"Mark A. Richman" wrote:
> Can you offer a suitable substitute until this is tested and released?
Will
> it work with Microsoft's implementation?
>
> Thanks,
> Mark
>
> -----Original Message-----
> From: George I Matkovits [mailto:matkovitsg@uswest.net]
> Sent: Sunday, January 07, 2001 9:23 PM
> To: soap-user@xml.apache.org
> Subject: Re: Secure SOAP
>
> I will post my SecureSoap extensions (encryption, element signature and
> Server
> side authentication and ACL list support with utility to build it)
sometime
> after the upcoming V2.1 release. The curent codebase is off the CVS tree
on
> 9/18/2000 and it almost doubles the size of that code base :-) It is fully
> UDDI
> compliant and uses headers for 'encapsulating' the security/authetication
> information. I still have to simplify the server ACL creation scripts. I
> also
> use DiffieHellmann Public Keys to create Client/Server tripleDES
encryption
> keys
> which are around 1000 faster then public keys based encryption. It was a
> huge
> job to put it together.
> Regards - George
>
> "Mark A. Richman" wrote:
>
> > How do I use SOAP over HTTPS? I'd like to also capture the
authenticated
> > userid & password on the server side, possibly to pass into a web
service
> as
> > a parameter.
> >
> > Thanks,
> > Mark Richman
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> > For additional commands, email: soap-user-help@xml.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
For additional commands, email: soap-user-help@xml.apache.org
Re: Secure SOAP
Posted by George I Matkovits <ma...@uswest.net>.
It could but I will not have the time for sometime to come. I will have to put
more time into Java Web Services.
Regards - George
"Mark A. Richman" wrote:
> Can you offer a suitable substitute until this is tested and released? Will
> it work with Microsoft's implementation?
>
> Thanks,
> Mark
>
> -----Original Message-----
> From: George I Matkovits [mailto:matkovitsg@uswest.net]
> Sent: Sunday, January 07, 2001 9:23 PM
> To: soap-user@xml.apache.org
> Subject: Re: Secure SOAP
>
> I will post my SecureSoap extensions (encryption, element signature and
> Server
> side authentication and ACL list support with utility to build it) sometime
> after the upcoming V2.1 release. The curent codebase is off the CVS tree on
> 9/18/2000 and it almost doubles the size of that code base :-) It is fully
> UDDI
> compliant and uses headers for 'encapsulating' the security/authetication
> information. I still have to simplify the server ACL creation scripts. I
> also
> use DiffieHellmann Public Keys to create Client/Server tripleDES encryption
> keys
> which are around 1000 faster then public keys based encryption. It was a
> huge
> job to put it together.
> Regards - George
>
> "Mark A. Richman" wrote:
>
> > How do I use SOAP over HTTPS? I'd like to also capture the authenticated
> > userid & password on the server side, possibly to pass into a web service
> as
> > a parameter.
> >
> > Thanks,
> > Mark Richman
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> > For additional commands, email: soap-user-help@xml.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
Re: Secure SOAP
Posted by George I Matkovits <ma...@uswest.net>.
It could but I will not have the time for sometime to come. I will have to put
more time into Java Web Services.
Regards - George
"Mark A. Richman" wrote:
> Can you offer a suitable substitute until this is tested and released? Will
> it work with Microsoft's implementation?
>
> Thanks,
> Mark
>
> -----Original Message-----
> From: George I Matkovits [mailto:matkovitsg@uswest.net]
> Sent: Sunday, January 07, 2001 9:23 PM
> To: soap-user@xml.apache.org
> Subject: Re: Secure SOAP
>
> I will post my SecureSoap extensions (encryption, element signature and
> Server
> side authentication and ACL list support with utility to build it) sometime
> after the upcoming V2.1 release. The curent codebase is off the CVS tree on
> 9/18/2000 and it almost doubles the size of that code base :-) It is fully
> UDDI
> compliant and uses headers for 'encapsulating' the security/authetication
> information. I still have to simplify the server ACL creation scripts. I
> also
> use DiffieHellmann Public Keys to create Client/Server tripleDES encryption
> keys
> which are around 1000 faster then public keys based encryption. It was a
> huge
> job to put it together.
> Regards - George
>
> "Mark A. Richman" wrote:
>
> > How do I use SOAP over HTTPS? I'd like to also capture the authenticated
> > userid & password on the server side, possibly to pass into a web service
> as
> > a parameter.
> >
> > Thanks,
> > Mark Richman
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> > For additional commands, email: soap-user-help@xml.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
RE: Secure SOAP
Posted by "Mark A. Richman" <mr...@ispchannel.com>.
Can you offer a suitable substitute until this is tested and released? Will
it work with Microsoft's implementation?
Thanks,
Mark
-----Original Message-----
From: George I Matkovits [mailto:matkovitsg@uswest.net]
Sent: Sunday, January 07, 2001 9:23 PM
To: soap-user@xml.apache.org
Subject: Re: Secure SOAP
I will post my SecureSoap extensions (encryption, element signature and
Server
side authentication and ACL list support with utility to build it) sometime
after the upcoming V2.1 release. The curent codebase is off the CVS tree on
9/18/2000 and it almost doubles the size of that code base :-) It is fully
UDDI
compliant and uses headers for 'encapsulating' the security/authetication
information. I still have to simplify the server ACL creation scripts. I
also
use DiffieHellmann Public Keys to create Client/Server tripleDES encryption
keys
which are around 1000 faster then public keys based encryption. It was a
huge
job to put it together.
Regards - George
"Mark A. Richman" wrote:
> How do I use SOAP over HTTPS? I'd like to also capture the authenticated
> userid & password on the server side, possibly to pass into a web service
as
> a parameter.
>
> Thanks,
> Mark Richman
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
For additional commands, email: soap-user-help@xml.apache.org
RE: Secure SOAP
Posted by "Mark A. Richman" <mr...@ispchannel.com>.
Can you offer a suitable substitute until this is tested and released? Will
it work with Microsoft's implementation?
Thanks,
Mark
-----Original Message-----
From: George I Matkovits [mailto:matkovitsg@uswest.net]
Sent: Sunday, January 07, 2001 9:23 PM
To: soap-user@xml.apache.org
Subject: Re: Secure SOAP
I will post my SecureSoap extensions (encryption, element signature and
Server
side authentication and ACL list support with utility to build it) sometime
after the upcoming V2.1 release. The curent codebase is off the CVS tree on
9/18/2000 and it almost doubles the size of that code base :-) It is fully
UDDI
compliant and uses headers for 'encapsulating' the security/authetication
information. I still have to simplify the server ACL creation scripts. I
also
use DiffieHellmann Public Keys to create Client/Server tripleDES encryption
keys
which are around 1000 faster then public keys based encryption. It was a
huge
job to put it together.
Regards - George
"Mark A. Richman" wrote:
> How do I use SOAP over HTTPS? I'd like to also capture the authenticated
> userid & password on the server side, possibly to pass into a web service
as
> a parameter.
>
> Thanks,
> Mark Richman
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
For additional commands, email: soap-user-help@xml.apache.org
Getting authentication information (Secure SOAP)
Posted by Shinta Tjio <st...@broadjump.com>.
I'm very new to SOAP so I'm sorry if this question has been
asked before. And I'm not necessarily using the SecureSOAP
package George put out.
How can I get the authentication information, particularly
user ID, from inside the SOAP service?
Here's the scenario I'm thinking. Let's say I'm providing
a service called update() that will let bank clients edit
their account information. Sure, I will do authentication
and authorization. I will make sure that Bank Client A is
really who he says he was (he's authenticated), I'll make
sure that Bank Client A can call the updated() method
(he's authorized).
But how do I make sure that Bank Client A can only update
his own account information, as supposed to updating someone
else's account information? It seems to me, to do this,
the update() method needs to know the authentication
information, so that it updates the proper account.
What is the supported way of doing this for SOAP services?
Can I access call header information from the server side?
thanks,
shinta
Re: Secure SOAP
Posted by George I Matkovits <ma...@uswest.net>.
I will post my SecureSoap extensions (encryption, element signature and Server
side authentication and ACL list support with utility to build it) sometime
after the upcoming V2.1 release. The curent codebase is off the CVS tree on
9/18/2000 and it almost doubles the size of that code base :-) It is fully UDDI
compliant and uses headers for 'encapsulating' the security/authetication
information. I still have to simplify the server ACL creation scripts. I also
use DiffieHellmann Public Keys to create Client/Server tripleDES encryption keys
which are around 1000 faster then public keys based encryption. It was a huge
job to put it together.
Regards - George
"Mark A. Richman" wrote:
> How do I use SOAP over HTTPS? I'd like to also capture the authenticated
> userid & password on the server side, possibly to pass into a web service as
> a parameter.
>
> Thanks,
> Mark Richman
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org
Re: Secure SOAP
Posted by George I Matkovits <ma...@uswest.net>.
I will post my SecureSoap extensions (encryption, element signature and Server
side authentication and ACL list support with utility to build it) sometime
after the upcoming V2.1 release. The curent codebase is off the CVS tree on
9/18/2000 and it almost doubles the size of that code base :-) It is fully UDDI
compliant and uses headers for 'encapsulating' the security/authetication
information. I still have to simplify the server ACL creation scripts. I also
use DiffieHellmann Public Keys to create Client/Server tripleDES encryption keys
which are around 1000 faster then public keys based encryption. It was a huge
job to put it together.
Regards - George
"Mark A. Richman" wrote:
> How do I use SOAP over HTTPS? I'd like to also capture the authenticated
> userid & password on the server side, possibly to pass into a web service as
> a parameter.
>
> Thanks,
> Mark Richman
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: soap-user-unsubscribe@xml.apache.org
> For additional commands, email: soap-user-help@xml.apache.org