Re: SOAP header for authentication etc

Sonsider a 3-tier system: Web browser, Web Server and SOAP service.
Web Server invokes a SOAP service on behalf of some Web users.
There are several issues around user authentication and server-to-server
authentication.

The question around user authentication is that how to carry user's
authentication information for the SOAP call. This is important for
the SOAP services that require users to be authenticated, and/or its result
varies for different users. Personal stock quotes could be  an
example of  such SOAP services.

To avoid service attack etc, SOAP service needs to reject calls from
untrsuted parties. So, the basic quetsion around server-to-server authentication

is that  how a SOAP services know whether it's called from a trusted server.

I'm sure that there are many other issues around security. Without understanding

such issues and appropriate solutions, it's hard for SOAP to be widely adopted.

Andy


Mike Dierken wrote:

> > Any takers for getting together a list of features that people would like?
> > >
> > > Are there any standard or convetion for specifying
> > > authentication etc within <SOAP-ENV:Header>?
> >
>
> Is 'authentication information' meant to be used in the context of 'perform
> this operation on the behalf of user-x'? or is it 'perform this operation &
> here is a magic key'? or something different?
>
> Since SOAP can be carried over multiple transports, and those transports
> have mechanisms for user identification, should there be a concept of
> 'inheriting' user identification information from the transport? The
> underlying transport might not have very secure user-id, but when they do it
> may be nice to use them. Would this be the job of a SOAP dispatcher, to
> extract transport info, transform to a unified format & load into the
> header? Can a SOAP dispatcher touch the message or will it ruin
> digest/checksums/etc.?
>
> Also, should this discussion be made on the SOAP forum?
> (SOAP@DISCUSS.DEVELOP.COM)
>
> Mike