You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@ws.apache.org by Craig Payne <cr...@perfect.com> on 2000/08/16 02:37:26 UTC
Authentication and SOAP
I have recently begun using the Apache SOAP implementation and I am
wondering how people handle the authentication process that is available in
the HTTP protocol? I am trying to use the Apache implementation but I need
to use Basic Authentication. After perusing the source code, it looks I can
could populate the message with appropriate HTTP headers in the invoke()
method of Call. I am wondering what the best way to handle authentication
is and if others have already solved this?
Thanks for the help,
Craig
Re: Authentication and SOAP
Posted by George I Matkovits <ma...@uswest.net>.
I just finished https extensions to SOAP and will start on
1.) authentication
2.) payload signing for non repudiation
IMHO a client Certificate would be the best solution to (1). This could also be
used for (2). What do you think, please?
Basic Authentication would work OK over an encrypted https connection but where
would you keep 'securely' the client credentials since SOAP will have to work in
'batch' mode also, without any human intervention. (-: A 'properties' file
approach could only work with encrypted entries. I have done this once before on
NT for a batch job submission application about 5 years ago which is still in
use. Even an encrypted properties file needs a key which is very difficult to
keep secret in an open OS environment. I managed to make it work on NT but I
would not know how to do it on Unix -Linux- unless I would use its SUI
capability which IMHO stinks!)
Regards - George
Craig Payne wrote:
> I have recently begun using the Apache SOAP implementation and I am
> wondering how people handle the authentication process that is available in
> the HTTP protocol? I am trying to use the Apache implementation but I need
> to use Basic Authentication. After perusing the source code, it looks I can
> could populate the message with appropriate HTTP headers in the invoke()
> method of Call. I am wondering what the best way to handle authentication
> is and if others have already solved this?
>
> Thanks for the help,
> Craig
Re: Authentication and SOAP
Posted by George I Matkovits <ma...@uswest.net>.
I just finished https extensions to SOAP and will start on
1.) authentication
2.) payload signing for non repudiation
IMHO a client Certificate would be the best solution to (1). This could also be
used for (2). What do you think, please?
Basic Authentication would work OK over an encrypted https connection but where
would you keep 'securely' the client credentials since SOAP will have to work in
'batch' mode also, without any human intervention. (-: A 'properties' file
approach could only work with encrypted entries. I have done this once before on
NT for a batch job submission application about 5 years ago which is still in
use. Even an encrypted properties file needs a key which is very difficult to
keep secret in an open OS environment. I managed to make it work on NT but I
would not know how to do it on Unix -Linux- unless I would use its SUI
capability which IMHO stinks!)
Regards - George
Craig Payne wrote:
> I have recently begun using the Apache SOAP implementation and I am
> wondering how people handle the authentication process that is available in
> the HTTP protocol? I am trying to use the Apache implementation but I need
> to use Basic Authentication. After perusing the source code, it looks I can
> could populate the message with appropriate HTTP headers in the invoke()
> method of Call. I am wondering what the best way to handle authentication
> is and if others have already solved this?
>
> Thanks for the help,
> Craig