[jboss-user] [JBoss Web Services] - Re: WS Security Basics

simon bohdanowicz do-not-reply at jboss.com
Wed Oct 20 16:35:34 EDT 2010

simon bohdanowicz [http://community.jboss.org/people/simonpl] created the discussion

"Re: WS Security Basics"

To view the discussion, visit: http://community.jboss.org/message/567526#567526

Security in WS is pretty broad topic(e.g. one way of securing web service is setting it on SSL) - I'm also not an expert but I've got a bit of experience with it. There is someting "WS-Security" and it is a standard established by OASIS(wiki will tell you more about it). On the other hand, you can design security on your own. Considering your question:
> When a client invokes a WS method, how do the user credentials get passed along with the method request?
Usually this kind of data is passed in header part of soap message - exact way in which you attach username and password depends on client technology you're using(Jbossws, Axis2 etc.)
> I have not seen that specified in WSDLs so is that some SOAP magic between the client/server?
I'm not sure what kind of magic you've got in mind - if you're using WS-Security standard then WS-Policy contains info about it(WS-Policy - another standard - is a document that contains additional settings for certain web service - it can be attached to wsdl or referenced by it)
> The credentials would have to be sent with each ensuing WS method call as well, correct?
It can be solved like that but I've seen situations where client was receiving token after first call and later only token was attached to soap(it was valid for one session)

Hope that helps

Reply to this message by going to Community

Start a new discussion in JBoss Web Services at Community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20101020/1473cccf/attachment.html 

More information about the jboss-user mailing list