[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ebxml-msg] AS4 - clarification on pulling from the default channel with no WS-Security UserName tokens
Hi Timothy Yes, the authentication happens at the HTTP layer as you say, but since its is the MSH that needs to honor the Pull, we have had to build functionality to "trust" the gateway that does the authentication and use the credentials being passed to service the Pull. So if you ask how does your AS4 MSH handle a missing WSSE username/password? I'll say we don't throw an error and support an unauthenticated Pull because there is never a WSSE header in some cases. Thanks Makesh On 5/9/13 8:05 AM, "Timothy Bennett" <timothy@drummondgroup.com> wrote: >I'm guessing, Makesh, that implementation occurs at the HTTP transport >layer, correct? Not at the AS4 message processing layer, right? You are >talking about HTTP Basic Auth, right? > >Theo's question is really about the AS4 MSH use case for the ebHandler >receiving a Pull Request with no WSSE token on the default MPC. It would >seem at first blush based on Section 2.3.1 and 3.3 that "minimally" a pull >request is authenticated by either a WSSE username/password token -OR- the >alternative use of HTTPs client authentication of an SSL certificate >(obviously X.509 authentication is also supported). Unlike the Minimal >Sender, which has a non-secure push scenario (presumably because the >receiver can "authenticate" using the Party-ID, et. al. in the as4 message >header), there is no provision of a "non-authenticated" pull request -- >even >on the default MPC. > >Is my understanding correct, here? > >-----Original Message----- >From: Makesh Rao (marao) [mailto:marao@cisco.com] >Sent: Thursday, May 09, 2013 9:40 AM >To: Theo Kramer; ebxml-msg@lists.oasis-open.org >Subject: Re: [ebxml-msg] AS4 - clarification on pulling from the default >channel with no WS-Security UserName tokens > >Hi Theo > >We do support plain old basic auth in our implementation. This is because >some of our clients did not agree to support WS-S. They only agreed to >support the basic auth. So we built some authorization around the username >that we get access to and determine if there is a message in the default >queue. > >~Makesh > >On 5/9/13 5:34 AM, "Theo Kramer" <theo@flame.co.za> wrote: > >>Hi All >> >>I'm wondering if anyone could clarify what the expected use case should >>be when an AS4 pull signal message is received for the default MPC with >>no WS-Security user name tokens. >> >>Possibilities could include any of the following >> >>i Return any message stored on the default MPC for the default user as >>defined in section 4.3 of the ebms 3 core spec. >> >>ii Return an HTTP 401 authorisation failed unknown reason. >> >>-- >>Regards >>Theo >> >> >>--------------------------------------------------------------------- >>To unsubscribe from this mail list, you must leave the OASIS TC that >>generates this mail. Follow this link to all your TCs in OASIS at: >>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: >https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]