• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

This weeks book giveaway

 
Thomas Paul
mister krabs
Ranch Hand
Posts: 13974
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A big welcome to Mark O'Neill, author of "Web Services Security".
Mark will be here until Friday to answer you questions. On Friday we will have a drawing and four lucky winners will win a copy of Mark's excellent book.
And a special thanks to McGraw-Hill for providing the books for the giveaway.
 
M.K.A. Monster
Ranch Hand
Posts: 130
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome Mark,
I hope you like our oncoming questions.
Thank you McCraw Hill, you have been publishing the most interesting books I ever bought.
Regards,
Mark Monster
 
Stanley Tan
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mark,
I'm using SOAP headers right now for authentication. I have a .NET Web service that exposes Web methods but requires a SOAP header to be passed along with the invocation. I've created a Java stub to the .NET Web service using AXIS and all is working fine until I call a method that requires a SOAP header. How do I go about specifying a SOAP header from a Java client that uses a stub generated from AXIS? Thanks for any input!

Stanley
 
Rama Raghavan
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome Mark..
What kinda of additives/bells and whistles has Microsoft added to web services that is over and beyond the call of the standards/protocol?
With a known history (unfortunately), always wonder what holes Microsoft leaves open on this front..
Rama
 
Mark O'Neill
Author
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Stanley Tan:
Mark,
I'm using SOAP headers right now for authentication. I have a .NET Web service that exposes Web methods but requires a SOAP header to be passed along with the invocation. I've created a Java stub to the .NET Web service using AXIS and all is working fine until I call a method that requires a SOAP header. How do I go about specifying a SOAP header from a Java client that uses a stub generated from AXIS? Thanks for any input!

Stanley

Hi Stanley
Putting security data into SOAP headers now means using WS-Security. In terms of AXIS-friendly toolkits for WS-Security, the IBM WSTK is the most useful [e.g. by comparison, VeriSign's TSIK implements WS-Security but has its own SOAP stack].
WS-Security defines how security information is included in a SOAP header. At a simple level, it defines a "Security" element, and the format of security tokens which are put into that element (e.g. a UsernameToken for userid/password, or a BinarySecurityToken for an X.509 digital certificate). It also defines how to apply XML Signature and XML Encryption to these security headers, and to the rest of a SOAP message also.
You haven't specified which security parameters should go into the SOAP header, but let's say if you want to use the Java WSTK to include an X.509 certificate, then (ironically) the best place to learn how to do this is at this MSDN article:
http://msdn.microsoft.com/library/en-us/dnwebsrv/html/wsejavainterop.asp
As usual with Axis, you have to configure a deployment descriptor (WSDD file). The WSDK uses information in this file to determine the signing key, which is taken from a Java keystore (JKS). Note that the private key password and the JKS password both sit in the clear - this clearly isn't ideal and care should be taken that access to this WSDD file is guarded.
 
Mark O'Neill
Author
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Rama Raghavan:
Welcome Mark..
What kinda of additives/bells and whistles has Microsoft added to web services that is over and beyond the call of the standards/protocol?
With a known history (unfortunately), always wonder what holes Microsoft leaves open on this front..
Rama

Hi Rama,
Looking at the Microsoft/IBM WS-Security model, I can see that a lot of the architecture fits well with Kerberos. Kerberos, of course, is built into Windows 2000, Windows XP, and Windows Server by implementing a Kerberos SSP (Security Support Provider). Kerberos fits the WS-Security model somewhat better than SAML does, for example.
That said, WS-Trust defines how to apply for a different token format (i.e. "token translation") - e.g. how to request an SAML assertion to send to a system which doesn't process Kerberos tickets. So, users are not locked in. I suspect that Web Services security is an area where lock-in is almost out of the question.
 
M.K.A. Monster
Ranch Hand
Posts: 130
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Mark O'Neill,
We have been posting questions in other topics also. I hope that you are there to answer some of our questions.
Regards,
Mark Monster
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic