Some practical documentation here:
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/cwbs_usernametokenv6.html
and also an interesting podcast here
http://channel9.msdn.com/shows/ARCast+with+Ron+Jacobs/ARCast-Securing-Web-Services-with-the-Username-Token-in-WSE-30-Part-1/
on X509 PKI certificate and Username Token.
In a nutshell:
Kerberos and X509 are brokered authentication, you present a token which vouches that you have gone somewhere else through an authentication process
Username Token is direct authentication
A X509 contains a certificate which has a public key that can be used by the recipient to encrypt messages that can be only decrypted by the X509 originator.
The official OASIS documentation (interesting reading)
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
An example of SOAP request with unencrypted Username token (thanks Tom Gullo, http://www.jroller.com/tgullo/, god bless your excellent recipes)
http://www.jroller.com/tgullo/resource/UsernamePasswordRequest.xml.txt
and encoded
http://www.jroller.com/tgullo/resource/EncryptedUsernamePasswordRequest.xml.txt
(it's really verbose, oh my god, I wonder about the performance impact)
Sunday, April 4, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment