http://qs321.pair.com?node_id=561254

talexb has asked for the wisdom of the Perl Monks concerning the following question:

I'm interested in building some web services that can be used both by external web browsers, but also by internal SOAP clients. The architecture I see is a web server talking to an independent database/file system entity, with local developers able to also write scripts that will interact with the entity. Essentially the function is an advanced ftp site.

With regard to security, I'm wondering how SOAP takes care of authentication and authorization. I read the local articles SOAP::Transport::TCP connection problems, troubles writing mod_soap clients and SOAP::Lite, then went further afield and found this article about authentication under SOAP UDDI. Google also found this article on SOAP extensions which looks promising if only it weren't almost five years old. This code sample also looked useful, even if it is in Java.

I like the idea of using SOAP -- does anyone here have other technology suggestions?

Alex / talexb / Toronto

"Groklaw is the open-source mentality applied to legal research" ~ Linus Torvalds

  • Comment on Authentication and Authorization for SOAP

Replies are listed 'Best First'.
Re: Authentication and Authorization for SOAP
by Ieronim (Friar) on Jul 14, 2006 at 17:17 UTC
    You can pass the username and password as parameters in your request, like 
    my $result = SOAP::Lite
    -> uri('http://www.example.com/Protected')
    -> proxy('http://www.example.com/soap.cgi')
    -> fetchdata($name, $pass, @request)
    -> result;

    [download]
    And define the fetchdata method at server-side as smth like this (i didn't add SOAP-specific code, but it can be taken directly from SOAP::Lite docs): 
    package Protected;
sub fetchdata {
    my $pkg = shift;
    my $name = shift;
    my $pass = shift;
    #check the $name and $pass and process @request
    # or send an response indicating authentication error
}

    [download]

    I have no experience in Java, but as i can see, the code sample you showed seems to do the same thing, but sends only name and password.

[reply]
[d/l]
[select]
[reply]
      A common practice is to pass authentication information in the SOAP headers. With SOAP::Lite, you can do this by creating SOAP::Header objects (just like SOAP::Data, but they'll be placed in the header): 
      my $headers = SOAP::Header
                  ->name( 'LoginCredentials' )
                  ->value( [                                 
                             SOAP::Header
                                 ->name('Username')
                                 ->value( $username )
                             ,
                             SOAP::Header
                                 ->name('Password')
                                 ->value( $password )
                             ,
                           ]
                         ) 
                    )
;

      [download]
      The login credentials can then be passed along with any other arguments into whatever SOAP method is being called, and dealt with seperately.
[reply]
[d/l]
Re: Authentication and Authorization for SOAP
by gellyfish (Monsignor) on Jul 14, 2006 at 21:00 UTC

    WS-Security provides a framework for security management in the Web Services environment. As yet there is no Perl implementation (as far as I can determine, but would love to be proved wrong.) OASIS have a number of other documents and specifications on security.

    /J\

[reply]

Back to Seekers of Perl Wisdom