• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Best place to put credencial data

 
Ranch Hand
Posts: 497
2
Spring Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi folks

I've been designed a WS and I really dont know where is the best place to receive credencial informations ! here the options:
1 - HTTP Headers ? Why ?
2 - SOAP Headers ? What's diferents between HTTP and SOAP headers ?
3 - Methods signature ? It's not a good place, but works !
4 - I can use HTTP Basic login/password too.
So...where have you been used ?
Best Regards.
 
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!
My bet is 2 - in the SOAP headers.
In addition, security code should preferably be implemented in a handler, to keep it separate from the service implementation and make it easily exchangeable.
Why?
First of all, if you change the underlying transport protocol from HTTP to, for instance, JMS, then there are no HTTP headers and you will have to change the entire security model.
Putting the information in the SOAP headers is the solution that does not limit future options.
Regarding 3: Mixing business and security implementations is not a good idea. If you ever want to change the security used by the service and have credential information in method parameters, then you have quite some work to do.
Regarding 4: HTTP basic security works well with HTTP. Again, if you decide to change transport protocol, then you will need to perform some extra work to change the security model.
Best wishes!
 
Fernando Franzini
Ranch Hand
Posts: 497
2
Spring Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ivan
Thanks a lot for yours tips
I'll use SOAP headers...But I dont know wich API I'll choose, maybe AXIS that dont have handler or have ?
By the way, I'm using your PDF to study for JWS certifications !!
Best Regards
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The standard way to secure SOAP services is to use WS-Security, which is supported by all major SOAP stacks, including Axis (check out its Rampart module). It adds all the required SOAP headers so you don't need to mess with those.
 
Fernando Franzini
Ranch Hand
Posts: 497
2
Spring Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Ulf
Thanks for sugestion...I've just started in WS...I certainly will read about.
However, I think SSL + SOAP WS + Login/password in SOAP Header solve everything.
Any objections ?
Regards.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you're asking me whether I think that rolling your own WS security solution is a good idea, then - no, I don't think it is. Security (not just for WS) is a hard issue to get right, and rolling your own -when a very capable and trustworthy implementation already exists- means re-inventing the wheel with fewer features and most likely less security.
 
Fernando Franzini
Ranch Hand
Posts: 497
2
Spring Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ulf

I agree with you....
I'm studing all this now....
Maybe I'll start write credencial data with http ou soap headers, but in second moment with WS secutity.
Thanks again
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic