You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-user@xml.apache.org by "N.V.Sairam" <sa...@bs.nes.nec.co.jp> on 2001/04/25 04:08:47 UTC
Soap Security features.
Hi,
Can anybody suggest me on, how to go about Soap Security features ?
Thanks,
N.V.Sairam
----------------------------------------------------
NEC Soft, Ltd.
1-8-16, Shikiba,
Kotuo-ku,
Tokyo 136 8606
Phone : (03) 5569 3228
Email : sairam@bs.nes.nec.co.jp
-----------------------------------------------------
Sessions -- cookies/URL rewriting hard to make work with SOAP
Posted by David Wall <dw...@Yozons.com>.
How does SOAP handle session scoped object and such (versus request/page)? I can picture that a session would be started because it's running in Tomcat, for example, but there's no protocol (is there?) for sending back the session id and such so that a subsequent soap call can make use of it.
In a standard browser world, that session id would be handled in cookies or would be encoded in URLs returned in a page response. Is the idea to make this work based on my soap handler embeddeding the session id in the response object so that the soap client can use it in the url for subsequent soap requests? If so, how would my bean access this since it doesn't ever see the HttpRequest object that would contain the info?
David
Security of deploying and undeploying services
Posted by David Wall <dw...@Yozons.com>.
>From what I can, there's no apparent security associated with deploying and undeploying services. It seems that if I do an HTTP GET/POST to the right URL, that I can deploy and undeploy. Using Apache, I could probably password-protect that URL, but even that's hard since the main URL just points to the rpcrouter servlet.
And what keeps someone from using org.apache.soap.server.ServiceManagerClient to deploy/undeploy on my server? I figure I'm just missing something, but I can't figure it out.
Thanks,
David
Sessions -- cookies/URL rewriting hard to make work with SOAP
Posted by David Wall <dw...@Yozons.com>.
How does SOAP handle session scoped object and such (versus request/page)? I can picture that a session would be started because it's running in Tomcat, for example, but there's no protocol (is there?) for sending back the session id and such so that a subsequent soap call can make use of it.
In a standard browser world, that session id would be handled in cookies or would be encoded in URLs returned in a page response. Is the idea to make this work based on my soap handler embeddeding the session id in the response object so that the soap client can use it in the url for subsequent soap requests? If so, how would my bean access this since it doesn't ever see the HttpRequest object that would contain the info?
David
Security of deploying and undeploying services
Posted by David Wall <dw...@Yozons.com>.
>From what I can, there's no apparent security associated with deploying and undeploying services. It seems that if I do an HTTP GET/POST to the right URL, that I can deploy and undeploy. Using Apache, I could probably password-protect that URL, but even that's hard since the main URL just points to the rpcrouter servlet.
And what keeps someone from using org.apache.soap.server.ServiceManagerClient to deploy/undeploy on my server? I figure I'm just missing something, but I can't figure it out.
Thanks,
David