We used SOAP on a project here and to make it secure did the following
1) Had authorisation _in_ the service, the service was a facade that only connected to real services post initialisation. That was okay but the real security was outside in Tomcat where we did 2) SOAP/SSL with client side certificates. Simple certficiate registration process. This meant that we had two pieces of information required 1) The persons username/password combination and 2) The remote systems client side certificate had to be valid. Steve Jones On Wed, 2001-11-28 at 15:16, Scott Nichol wrote: > Why not use HTTP Authentication? If that is not good for you, you could > include user/password in the parameter list for each SOAP method, and > authenticate within the method. Either way, of course, you would be > best > off using SSL so that the password in encrypted. > > Scott > > ----- Original Message ----- > From: "Christian Geuer-Pollmann" > <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Wednesday, November 28, 2001 4:26 AM > Subject: Re: Authenticating SOAP Messages > > > > > > > In our application, we are able to send the SOAP requests and > responses. > > > But how can I authorise those requests.In our normal scenario, we > > > authenticate the user with pin/password and then he'll access the > > > authorised functions.But in this SOAP scenario,whatever request > comes, > > > without authentication, should I allow them to get the response. > One > > > condition I'm assuming is allowing for only registered IP > addresses.But > > > this may not be a feasible one. > > > > > > Can you please suggest any existing mechanisms to do this.I've to > > > implement this in our application. > > > > Maybe you can use the Apache XML Security package [1] for creating > SOAP > > Signatures using XML Signature. Whether digital signatures inside the > SOAP > > msg do meet the goal depends on your security requirements. > > > > Christian > > > > > > > > [1] http://xml.apache.org/security/
