You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-user@ws.apache.org by Fuhrmann Peter <Pe...@softlab.de> on 2001/11/28 09:40:37 UTC
AW: Authenticating SOAP Messages
You can use HTTP authentication, see the following client code snippet:
SOAPHTTPConnection connection = new SOAPHTTPConnection();
connection.setMaintainSession( true );
connection.setUserName("user");
connection.setPassword("password");
call.setSOAPTransport(connection);
On server side you must chose BASIC authentication for the RPCRouterServlet
context. In the web.xml it looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/servlet/rpcrouter</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses BASIC authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Example Basic Authentication Area</realm-name>
</login-config>
And, of course you have to define the user, password and role somewhere -
this depends on the container. In tomcat using the default realm you put
this into the tomcat-users.xml. In Weblogic (using the default weblogic
realm) you put this in the weblogic.properties.
Hope this helps.
Peter
-----Ursprüngliche Nachricht-----
Von: P Sreenivasa Rao [mailto:psrao@cmcltd.com]
Gesendet am: Mittwoch, 28. November 2001 21:38
An: SOAP@DISCUSS.DEVELOP.COM; soapbuilders@yahoogroups.com
Cc: soap-dev@xml.apache.org; soap-user@xml.apache.org
Betreff: Authenticating SOAP Messages
Hi all,
In our application, we are able to send the SOAP requests and responses.
But how can I authorise those requests.In our normal scenario, we
authenticate the user with pin/password and then he'll access the authorised
functions.But in this SOAP scenario,whatever request comes, without
authentication, should I allow them to get the response.
One condition I'm assuming is allowing for only registered IP addresses.But
this may not be a feasible one.
Can you please suggest any existing mechanisms to do this.I've to implement
this in our application.
Thanks in advance,
Sreenivas P,
CMC Ltd,
Hyderbad,
India
Re: Authenticating SOAP Messages
Posted by P Sreenivasa Rao <ps...@cmcltd.com>.
HI Peter,
Thank you for your immediate and eloberate reply.I'll try and get back to you.
Have a nice time,
with best regards,
Sreenivas P
----- Original Message -----
From: "Fuhrmann Peter" <Pe...@softlab.de>
To: <so...@xml.apache.org>
Sent: Wednesday, November 28, 2001 12:40 AM
Subject: AW: Authenticating SOAP Messages
> You can use HTTP authentication, see the following client code snippet:
>
> SOAPHTTPConnection connection = new SOAPHTTPConnection();
> connection.setMaintainSession( true );
>
> connection.setUserName("user");
> connection.setPassword("password");
>
> call.setSOAPTransport(connection);
>
> On server side you must chose BASIC authentication for the RPCRouterServlet
> context. In the web.xml it looks like this:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/servlet/rpcrouter</url-pattern>
> <!-- If you list http methods, only those methods are protected -->
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area -->
> <role-name>tomcat</role-name>
> </auth-constraint>
> </security-constraint>
>
> <!-- Default login configuration uses BASIC authentication -->
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Example Basic Authentication Area</realm-name>
> </login-config>
>
> And, of course you have to define the user, password and role somewhere -
> this depends on the container. In tomcat using the default realm you put
> this into the tomcat-users.xml. In Weblogic (using the default weblogic
> realm) you put this in the weblogic.properties.
>
> Hope this helps.
> Peter
>
>
> -----Ursprüngliche Nachricht-----
> Von: P Sreenivasa Rao [mailto:psrao@cmcltd.com]
> Gesendet am: Mittwoch, 28. November 2001 21:38
> An: SOAP@DISCUSS.DEVELOP.COM; soapbuilders@yahoogroups.com
> Cc: soap-dev@xml.apache.org; soap-user@xml.apache.org
> Betreff: Authenticating SOAP Messages
>
> Hi all,
>
> In our application, we are able to send the SOAP requests and responses.
> But how can I authorise those requests.In our normal scenario, we
> authenticate the user with pin/password and then he'll access the authorised
> functions.But in this SOAP scenario,whatever request comes, without
> authentication, should I allow them to get the response.
> One condition I'm assuming is allowing for only registered IP addresses.But
> this may not be a feasible one.
>
> Can you please suggest any existing mechanisms to do this.I've to implement
> this in our application.
>
> Thanks in advance,
>
> Sreenivas P,
> CMC Ltd,
> Hyderbad,
> India
>
>
Re: Authenticating SOAP Messages
Posted by P Sreenivasa Rao <ps...@cmcltd.com>.
HI Peter,
Thank you for your immediate and eloberate reply.I'll try and get back to you.
Have a nice time,
with best regards,
Sreenivas P
----- Original Message -----
From: "Fuhrmann Peter" <Pe...@softlab.de>
To: <so...@xml.apache.org>
Sent: Wednesday, November 28, 2001 12:40 AM
Subject: AW: Authenticating SOAP Messages
> You can use HTTP authentication, see the following client code snippet:
>
> SOAPHTTPConnection connection = new SOAPHTTPConnection();
> connection.setMaintainSession( true );
>
> connection.setUserName("user");
> connection.setPassword("password");
>
> call.setSOAPTransport(connection);
>
> On server side you must chose BASIC authentication for the RPCRouterServlet
> context. In the web.xml it looks like this:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/servlet/rpcrouter</url-pattern>
> <!-- If you list http methods, only those methods are protected -->
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area -->
> <role-name>tomcat</role-name>
> </auth-constraint>
> </security-constraint>
>
> <!-- Default login configuration uses BASIC authentication -->
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Example Basic Authentication Area</realm-name>
> </login-config>
>
> And, of course you have to define the user, password and role somewhere -
> this depends on the container. In tomcat using the default realm you put
> this into the tomcat-users.xml. In Weblogic (using the default weblogic
> realm) you put this in the weblogic.properties.
>
> Hope this helps.
> Peter
>
>
> -----Ursprüngliche Nachricht-----
> Von: P Sreenivasa Rao [mailto:psrao@cmcltd.com]
> Gesendet am: Mittwoch, 28. November 2001 21:38
> An: SOAP@DISCUSS.DEVELOP.COM; soapbuilders@yahoogroups.com
> Cc: soap-dev@xml.apache.org; soap-user@xml.apache.org
> Betreff: Authenticating SOAP Messages
>
> Hi all,
>
> In our application, we are able to send the SOAP requests and responses.
> But how can I authorise those requests.In our normal scenario, we
> authenticate the user with pin/password and then he'll access the authorised
> functions.But in this SOAP scenario,whatever request comes, without
> authentication, should I allow them to get the response.
> One condition I'm assuming is allowing for only registered IP addresses.But
> this may not be a feasible one.
>
> Can you please suggest any existing mechanisms to do this.I've to implement
> this in our application.
>
> Thanks in advance,
>
> Sreenivas P,
> CMC Ltd,
> Hyderbad,
> India
>
>