aspose file tools*
The moose likes Web Services and the fly likes Best place to put credencial data Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Best place to put credencial data" Watch "Best place to put credencial data" New topic
Author

Best place to put credencial data

Fernando Franzini
Ranch Hand

Joined: Jan 09, 2009
Posts: 484
    
    2

Hi folks

I've been designed a WS and I really dont know where is the best place to receive credencial informations ! here the options:
1 - HTTP Headers ? Why ?
2 - SOAP Headers ? What's diferents between HTTP and SOAP headers ?
3 - Methods signature ? It's not a good place, but works !
4 - I can use HTTP Basic login/password too.
So...where have you been used ?
Best Regards.


Fernando Franzini - Java Blog
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
My bet is 2 - in the SOAP headers.
In addition, security code should preferably be implemented in a handler, to keep it separate from the service implementation and make it easily exchangeable.
Why?
First of all, if you change the underlying transport protocol from HTTP to, for instance, JMS, then there are no HTTP headers and you will have to change the entire security model.
Putting the information in the SOAP headers is the solution that does not limit future options.
Regarding 3: Mixing business and security implementations is not a good idea. If you ever want to change the security used by the service and have credential information in method parameters, then you have quite some work to do.
Regarding 4: HTTP basic security works well with HTTP. Again, if you decide to change transport protocol, then you will need to perform some extra work to change the security model.
Best wishes!


My free books and tutorials: http://www.slideshare.net/krizsan
Fernando Franzini
Ranch Hand

Joined: Jan 09, 2009
Posts: 484
    
    2

Hi Ivan
Thanks a lot for yours tips
I'll use SOAP headers...But I dont know wich API I'll choose, maybe AXIS that dont have handler or have ?
By the way, I'm using your PDF to study for JWS certifications !!
Best Regards
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
The standard way to secure SOAP services is to use WS-Security, which is supported by all major SOAP stacks, including Axis (check out its Rampart module). It adds all the required SOAP headers so you don't need to mess with those.


Ping & DNS - updated with new look and Ping home screen widget
Fernando Franzini
Ranch Hand

Joined: Jan 09, 2009
Posts: 484
    
    2

Hello Ulf
Thanks for sugestion...I've just started in WS...I certainly will read about.
However, I think SSL + SOAP WS + Login/password in SOAP Header solve everything.
Any objections ?
Regards.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
If you're asking me whether I think that rolling your own WS security solution is a good idea, then - no, I don't think it is. Security (not just for WS) is a hard issue to get right, and rolling your own -when a very capable and trustworthy implementation already exists- means re-inventing the wheel with fewer features and most likely less security.
Fernando Franzini
Ranch Hand

Joined: Jan 09, 2009
Posts: 484
    
    2

Hi Ulf

I agree with you....
I'm studing all this now....
Maybe I'll start write credencial data with http ou soap headers, but in second moment with WS secutity.
Thanks again
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Best place to put credencial data
 
Similar Threads
response Headers
how do I insert security headers in to soap jax-rcp request using Java
SOAP - the mustUnderstand Attribute
Adding authentication in SOAP header..
SOAP header in SOAP request