Loading ...
Sorry, an error occurred while loading the content.

Authentication

Expand Messages
  • r_amselli@yahoo.fr
    Hi, I am fairly new to SOAP Lite but I have read a lot about SOAP. In everything I have read, the authors were saying that SOAP was over HTTP and so that the
    Message 1 of 7 , Mar 29, 2001
    • 0 Attachment
      Hi,

      I am fairly new to SOAP Lite but I have read a lot about SOAP.
      In everything I have read, the authors were saying that SOAP was over
      HTTP and so that the authentication systems were the same.

      My question is how the authentication system works with SOAP Lite:
      what I would like to do is give access to a SOAP server on ly to
      certain clients.

      Any Idea or code examples please?

      Thank you

      Raf
    • Paul Kulchenko
      Hi, Raf! Couple of new chapters will be published soon on guide.soaplite.com, hopefully they will answer your question (one chpater is about security: ssl,
      Message 2 of 7 , Mar 29, 2001
      • 0 Attachment
        Hi, Raf!

        Couple of new chapters will be published soon on guide.soaplite.com,
        hopefully they will answer your question (one chpater is about
        security: ssl, abasic uthentication, coockie-based, ticket-based,
        access control, etc.)
        you may also take a look into scriptc in examples directory, some of
        them use authentication. Hope it helps.

        Best wishes, Paul.
        --- r_amselli@... wrote:
        > Hi,
        >
        > I am fairly new to SOAP Lite but I have read a lot about SOAP.
        > In everything I have read, the authors were saying that SOAP was
        > over
        > HTTP and so that the authentication systems were the same.
        >
        > My question is how the authentication system works with SOAP Lite:
        > what I would like to do is give access to a SOAP server on ly to
        > certain clients.
        >
        > Any Idea or code examples please?
        >
        > Thank you
        >
        > Raf
        >
        >
        > ------------------------ Yahoo! Groups Sponsor
        >
        > To unsubscribe from this group, send an email to:
        > soaplite-unsubscribe@yahoogroups.com
        >
        >
        >
        > Your use of Yahoo! Groups is subject to
        > http://docs.yahoo.com/info/terms/
        >
        >


        __________________________________________________
        Do You Yahoo!?
        Get email at your own domain with Yahoo! Mail.
        http://personal.mail.yahoo.com/?.refer=text
      • Paul Kulchenko
        Hi, Raf! Couple of new chapters will be published soon on guide.soaplite.com, hopefully they will answer your question (one chapter is about security: ssl,
        Message 3 of 7 , Mar 29, 2001
        • 0 Attachment
          Hi, Raf!

          Couple of new chapters will be published soon on guide.soaplite.com,
          hopefully they will answer your question (one chapter is about
          security: ssl, abasic uthentication, coockie-based, ticket-based,
          access control, etc.)
          you may also take a look into scriptc in examples directory, some of
          them use authentication. Hope it helps.

          Best wishes, Paul.
          --- r_amselli@... wrote:
          > Hi,
          >
          > I am fairly new to SOAP Lite but I have read a lot about SOAP.
          > In everything I have read, the authors were saying that SOAP was
          > over
          > HTTP and so that the authentication systems were the same.
          >
          > My question is how the authentication system works with SOAP Lite:
          > what I would like to do is give access to a SOAP server on ly to
          > certain clients.
          >
          > Any Idea or code examples please?
          >
          > Thank you
          >
          > Raf
          >
          >
          > ------------------------ Yahoo! Groups Sponsor
          >
          > To unsubscribe from this group, send an email to:
          > soaplite-unsubscribe@yahoogroups.com
          >
          >
          >
          > Your use of Yahoo! Groups is subject to
          > http://docs.yahoo.com/info/terms/
          >
          >


          __________________________________________________
          Do You Yahoo!?
          Get email at your own domain with Yahoo! Mail.
          http://personal.mail.yahoo.com/?.refer=text
        • Paul Kulchenko
          Hi, Raf! Couple of new chapters will be published soon on guide.soaplite.com, hopefully they will answer your question (one chapter is about security: ssl,
          Message 4 of 7 , Mar 29, 2001
          • 0 Attachment
            Hi, Raf!

            Couple of new chapters will be published soon on guide.soaplite.com,
            hopefully they will answer your question (one chapter is about
            security: ssl, abasic uthentication, coockie-based, ticket-based,
            access control, etc.)
            you may also take a look into scriptc in examples directory, some of
            them use authentication. Hope it helps.

            Best wishes, Paul.

            --- r_amselli@... wrote:
            > Hi,
            >
            > I am fairly new to SOAP Lite but I have read a lot about SOAP.
            > In everything I have read, the authors were saying that SOAP was
            > over
            > HTTP and so that the authentication systems were the same.
            >
            > My question is how the authentication system works with SOAP Lite:
            > what I would like to do is give access to a SOAP server on ly to
            > certain clients.
            >
            > Any Idea or code examples please?
            >
            > Thank you
            >
            > Raf
            >
            >
            > ------------------------ Yahoo! Groups Sponsor
            >
            > To unsubscribe from this group, send an email to:
            > soaplite-unsubscribe@yahoogroups.com
            >
            >
            >
            > Your use of Yahoo! Groups is subject to
            > http://docs.yahoo.com/info/terms/
            >
            >


            __________________________________________________
            Do You Yahoo!?
            Get email at your own domain with Yahoo! Mail.
            http://personal.mail.yahoo.com/?.refer=text
          • Robert Simpson
            ... over ... _____________________________ First, a primer on authentication... The basic authentication (AUTH_TYPE = Basic) provided by the HTTP protocol is
            Message 5 of 7 , Mar 30, 2001
            • 0 Attachment
              --- In soaplite@y..., r_amselli@y... wrote:
              > Hi,
              >
              > I am fairly new to SOAP Lite but I have read a lot about SOAP.
              > In everything I have read, the authors were saying that SOAP was
              over
              > HTTP and so that the authentication systems were the same.
              >
              > My question is how the authentication system works with SOAP Lite:
              > what I would like to do is give access to a SOAP server on ly to
              > certain clients.
              >
              > Any Idea or code examples please?
              >
              > Thank you
              >
              > Raf

              _____________________________
              First, a primer on authentication...

              The basic authentication (AUTH_TYPE = Basic) provided by the HTTP
              protocol is where a small dialog box with prompts for "User Name"
              and "Password" pops up over the browser window. In Netscape, the
              dialog box title is "Username and Password Required"; in Internet
              Explorer, it might be "Enter Network Password".

              If the user hits Cancel, or enters an invalid username or password,
              they get an HTTP Error 401 "Authorization Required". Similarly,
              unless the proper authentication parameters are passed in the HTTP
              request, a SOAP::Lite client will get an error message "SOAP call
              failed: 401 Authorization Required". If authentication fails, the
              user does not get access to the file that was requested, whether that
              file is a static HTML file, a CGI program, or a SOAP server. For the
              static files this works pretty well.

              However, many web sites nowadays have content that is dynamically
              generated by server-side programs. To provide for additional
              features such as various login options ("auto-login", "save
              password", etc.), access to content without signing on (usually along
              with a "Sign On" option), the ability to "Sign Off" or change user
              names, and more graceful failures than "401 Authorization Required",
              most web sites implement their own authentication mechanisms handled
              by server-side programs. Typically, they get a user name, password
              and other parameters from a login form, determines whether the user
              should be allowed access, and return a page that somewhere indicates
              whether the user is successfully logged in.

              One important thing to note is that each web request is processed on
              the server as a totally independent transaction: connect - input -
              process - output - disconnect. For every transaction, you must
              determine whether or not the user has an existing session. If you
              don't authenticate every transaction, bad things can happen. For
              example, if you are running a web-based e-mail service, without re-
              authentication a user could change the user name in the URL and gain
              access to someone else's mailbox. Remember URLs can come from
              various places: The "Address" or "Location" bar, "Bookmarks"
              or "Favorites", and links and forms from other web pages or in e-
              mails. You shouldn't count on these URLs coming only from trusted
              sites -- there have been some cases where forms have been set up on
              the web that would generate the proper URL to allow you to access
              someone's web-based e-mail simply by entering their user name in a
              form.

              If you use a login page for authentication, you probably don't want
              to redisplay the login page for every page the user sees, so a
              different mechanism is needed for re-authentication. One popular
              method is for the login to return a session key that is somehow
              passed back to the server on the next transaction. Typical methods
              of saving and returning the session key include cookies, URL query
              parameters, and hidden form fields. This is better than some other
              approaches, such as storing the user name and password on the client,
              where they could easily be viewed by anyone with physical access to
              the machine.

              _____________________________
              And how it applies to SOAP...

              As you noted, the authentication mechanisms for SOAP clients are the
              same as for other HTTP clients, especially since most of those
              mechanisms are implemented on top of the HTTP protocol. In other
              words, you have to extend your existing web authentication mechanisms
              to handle SOAP clients.

              Our company's existing authentication mechanisms use session keys.
              We have been working on extending them to work with SOAP clients,
              which has also necessitated making them much more robust, because
              some of the information from a SOAP client will be coming in
              indirectly rather than directly from the CGI interface, and therefore
              will be less trusted.

              What's nice is that once our SOAP authentication is working, it could
              be used from anywhere on the Internet: web pages, UNIX Telnet
              clients, Windows clients, etc. -- and could even be used by other web
              sites to provide authentication for their clients. Information could
              be shared (carefully) among web sites -- for example, a user could
              specify an option indicating whether they want their e-mail address
              provided automatically to a web site requesting it, or only to web
              sites they authorized for that information; any web site could
              determine whether or not the user had validated their e-mail address
              by responding to a confirmation message, regardless of which web site
              originated the message, eliminating the need for the user to re-
              validate their e-mail address for every web site they visit.

              Here's how it would work: The SOAP client (which could be a native
              program or script, or a web site CGI program) would prompt the user
              for a user name and password, plus other optional parameters, if
              desired. The client would send this information to the server via a
              SOAP call, and get back a status and, for a valid login, a session
              key. For subsequent calls, the client would send the session key,
              and the server would return the session status (valid, expired, etc.)
              plus various other session information.

              We are hoping to begin beta testing of the SOAP authentication in the
              near future. If you would be interested in participating in such a
              beta test, please send me an e-mail at betatest@... and
              I will add you to the list of potential beta-testers.
            • r_amselli@yahoo.fr
              Hi, I have read carefully what you wrote me and what I understand from that is that the authentication is not implemented in the current version of SOAP::Lite.
              Message 6 of 7 , Apr 2, 2001
              • 0 Attachment
                Hi,

                I have read carefully what you wrote me and what I understand from
                that is that the authentication is not implemented in the current
                version of SOAP::Lite.

                Anyway, thanks for your help!

                Raf
              • Paul Kulchenko
                Hi, Raf! ... What kind of authentication is not implemented? SOAP::Lite gives you an access to basic/digest authentication, easy access to cookie and some
                Message 7 of 7 , Apr 2, 2001
                • 0 Attachment
                  Hi, Raf!

                  --- r_amselli@... wrote:
                  > I have read carefully what you wrote me and what I understand from
                  > that is that the authentication is not implemented in the current
                  > version of SOAP::Lite.
                  What kind of authentication is not implemented? SOAP::Lite gives you
                  an access to basic/digest authentication, easy access to cookie and
                  some examples for ticket-based authentication. Take a look into
                  http://guide.soaplite.com/draft.html. So, what's your specific
                  request that cannot be implemented with SOAP::Lite? Just let me know,
                  everything can be done (sooner or later :)).

                  Best wishes, Paul.


                  __________________________________________________
                  Do You Yahoo!?
                  Get email at your own domain with Yahoo! Mail.
                  http://personal.mail.yahoo.com/?.refer=text
                Your message has been successfully submitted and would be delivered to recipients shortly.