PDA

Click to See Complete Forum and Search --> : GSOAP Project. Need Tips

eylk
09-21-2006, 02:48 AM
Hello. I am new to GSOAP and I need help understanding this project and its security features.
Below is a diagram of the project.

http://www.cjb.net/images.html?ab4d1.bmp

So far, I have understood that both the client and server side need a Gsoap application.

Client Side
http://www.soapuser.com/common/basics_4_1.gif

Server Side
http://www.soapuser.com/common/basics_4_2.gif


The problem now is:

1) That I dont understand where and how HTTP/SSL, WSSE and GSOAP HEADERS comes in. I've read about them individually but only manage to grasp a very vague understanding.

2) Keys, Certificates And Signatures are all XML based right? SSL and GSOAP HEADERS only wrap them or somehow make use of them right?

3) Can SSL and GSOAP HEADERS security both be implemented?
Or only GSOAP HEADERS is needed/can be used as proposed by the article below(I dont quite understand the article):
http://webservices.xml.com/pub/a/ws/2003/01/15/ends.html

Any links to sites that may help me in my situation and answers with references to the diagrams provided will be greatly appreciated.

Thank you !

-K-
sirpelidor
09-22-2006, 01:45 PM
1) That I dont understand where and how HTTP/SSL, WSSE and GSOAP HEADERS comes in. I've read about them individually but only manage to grasp a very vague understanding.


I haven't been play with SOAP for a while, so my information isn't gonna be as up-to-date. But to clear things first, I don't believe GSOAP is a potocol it uses for web services, I think GSOAP is a program that generate SOAP headers using your choice of programming language.

<<note: base with the image you've provided, you aware the server end is written in J2EE right? I say that because if you going to consume web services using .net at client side, there maybe extra code needed, I'm not sure, you need to review your docs>>

With those out of the dark cloud, lets get to your questions:
(I don't know what you already know, so I'm gonna do it in a briefing style)

-if you have a Web Server (lets call: S1), it has http(port 80) and https(port443, default SSL) open. Then it can transfer xml files between web server and web clients (in this case, i assume its written in .net because you are at the .net forum).

-the xml files which are being transfering, is actually an object which has been serieriazted by your web server/web client. For example, a HelloWorld object with only a toString() method might look something like:

<service1>
<helloWorld><toString>Hello World!</toString></helloWorld/>
</service1>


-When the client receive the xml file from the web server, it could be in a form of REST or SOAP <-- this is where your question comes in.

-When the client send the xml file back to the web server, it could be in httpPOST or httpSOAP <-- this is where your authenication question

-(last time when i play with web services) there are 3 ways of security in web services.
>authenicate - to pass username/password on every method call
>SOAP header - SOAP has envelope and body, you can add a HEADER, every clients will have to match every requirement made by SOAP.
>ws-* (http://aspnet.4guysfromrolla.com/articles/071404-1.aspx) (the M$ way....)

-SOAP Envelope contain (optional header) and body header is where creditals take place, for example, when a client send a request to a server, it'll look something like:

<soap: Envelope>
<soap: Header>
<AuthorizationHeader>
<UserName></UserName>
<Password></Password>
</AuthorizationHeader>
</soap: header>
<soap:Body>
<SoapTest....>
<message> </message>
</SoapTest>
</soap:Body>
</soap:Envelope>


when a server send the xml back to the client, it won't have a header, because there is nothing to authenicate... like

<soap: Envelope>
<soap:Body>
<SoapTest....>
<message> </message>
</SoapTest>
</soap:Body>
</soap:Envelope>

-the downside of using SOAP...is these header has no standardize format.

-Authenication in web services has a choice of 2 approaches
>a hashed plain text
>encrypted plain text

-ws-* was created by M$'s standardize way to authenicate SOAP header, see link above for detail.


2) Keys, Certificates And Signatures are all XML based right? SSL and GSOAP HEADERS only wrap them or somehow make use of them right?

SOAP envlope wrap those info within header


3) Can SSL and GSOAP HEADERS security both be implemented?
Or only GSOAP HEADERS is needed/can be used as proposed by the article below(I dont quite understand the article):
http://webservices.xml.com/pub/a/ws/2003/01/15/ends.html


yes, a webserver's port80 is not being encryted, information that is send between port80 can be seen within the network. You use SSL to encrypt the entire messages so others can't see what you are sending through out the network, then you use SOAP header embedded name/password to ensure the client has the right to make certain method calls.


i hope this helps a little.... (sorry for long post)