locked
User Aware Service RRS feed

  • Question

  • I have an SDP Platform setup which has some services available. I am creating a new service (Service1) which has to maintain its own set of users and has a custom Token Manager which validates the request with this user set. The users can be mapped easily from the platform with the Identity manager. Now Service1 has some methods which extract information for a particular user using the userId present in Service1. There are two ways of getting the userId from the SDP Platform

    1. In my service method I extract the information from the SOAP header (WS: Security) and use it.

    2. Instead of having the service to extract info header, I introduce an interceptor for the service which can extract information from header and provide it as a part of payload.

    What I would like to know is that which of the above case should be used, or is there any other way of implementing the scenario.

    Tuesday, September 26, 2006 6:00 AM

Answers

  • Hi Ashish,

    Thanks for your note - this is a difficult implementation question... In principle, it is best to avoid using any WS-Security information in the header. In practice, it is often done, however - it is easy to assume that the message will always be authenticated with UsernameToken, or some custom type, and it is easy to find the username. If you can avoid this assumption, it will give your solution the flexibility of changing authentication mechanisms more easily in the future. I realize that there may be practical barriers to chaging the message body - but if it is possible, I would recommend using a single new element in the body, say <Username>...

    Many Thanks, Ashish!!

    -Rob.

     

    Tuesday, September 26, 2006 7:44 AM
  • Hi Ashish,

    Thanks for your note - for this situation, I would try to apply the following principles:

    (a) Avoid using any data in the WS-Security section of the messages if possible - but I realize that it might be unavoidable...

    (b) Prefer using the CSF Identity Manager component to store secondary credentials.

    Given this, which approach is best? If my understanding of the situation is correct, approach (2) above - using the Identity Manager - ideally via the Persona participant in the Session - would be the prefered approach.

    Please let us know if you have any follow-up questions...

    Many Thanks, Ashish!!

    -Rob.

    Tuesday, September 26, 2006 4:59 PM

All replies

  • Hi Ashish,

    Thanks for your note - this is a difficult implementation question... In principle, it is best to avoid using any WS-Security information in the header. In practice, it is often done, however - it is easy to assume that the message will always be authenticated with UsernameToken, or some custom type, and it is easy to find the username. If you can avoid this assumption, it will give your solution the flexibility of changing authentication mechanisms more easily in the future. I realize that there may be practical barriers to chaging the message body - but if it is possible, I would recommend using a single new element in the body, say <Username>...

    Many Thanks, Ashish!!

    -Rob.

     

    Tuesday, September 26, 2006 7:44 AM
  • Hi Rob,

    Thanks a lot for ur reply.

    The solution will work in case I am creating a new service from scratch and dictate the terms.

    But what if the service already exist (an existing third party service which is to be integrated to the platform).

    The problem that comes is, I have a user in my platform say A1@sdpplatform. the username which is used at the service is A1_S1@service.

    while using Person Participant, I can modify the security header to provide A1_S1@service using Identity manager, but if the same name is to be passed to the service in the body as well, then I do not have direct access to the information about userId for A1@sdpplatform at the service.

    There can be two ways of solving this:

    1. introduce an interceptor for the service which can extract information from header and provide it as a part of payload

    2. call Identity manager to retrive this information and modify the body while creating the message.

    Which method should be the preferred option and why. Are there any other ways of doing this?

    Ashish

    Tuesday, September 26, 2006 7:59 AM
  • Hi Ashish,

    Thanks for your note - for this situation, I would try to apply the following principles:

    (a) Avoid using any data in the WS-Security section of the messages if possible - but I realize that it might be unavoidable...

    (b) Prefer using the CSF Identity Manager component to store secondary credentials.

    Given this, which approach is best? If my understanding of the situation is correct, approach (2) above - using the Identity Manager - ideally via the Persona participant in the Session - would be the prefered approach.

    Please let us know if you have any follow-up questions...

    Many Thanks, Ashish!!

    -Rob.

    Tuesday, September 26, 2006 4:59 PM