[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ebxml-msg] AS4 - clarification on pulling from the default channel with no WS-Security UserName tokens
Ok... so in this sense, it's not much different than the alternative pull authorization explicitly detailed in section 3.3 of the AS4 spec that uses the client authentication of a pull request over HTTPs. In the same way, the transport layer is providing the authentication and the MSH layer "trusts" the gateway and there's some glue between the two layers to make that seamless. We could have easily had a section in the AS4 spec that explicitly supports Basic Authentication for pull requests as an alternative method. I get it. Thanks. -----Original Message----- From: Makesh Rao (marao) [mailto:marao@cisco.com] Sent: Thursday, May 09, 2013 10:40 AM To: timothy@drummondgroup.com; 'Theo Kramer'; ebxml-msg@lists.oasis-open.org Subject: Re: [ebxml-msg] AS4 - clarification on pulling from the default channel with no WS-Security UserName tokens Hi Timothy Yes, the authentication happens at the HTTP layer as you say, but since its is the MSH that needs to honor the Pull, we have had to build functionality to "trust" the gateway that does the authentication and use the credentials being passed to service the Pull. So if you ask how does your AS4 MSH handle a missing WSSE username/password? I'll say we don't throw an error and support an unauthenticated Pull because there is never a WSSE header in some cases. Thanks Makesh On 5/9/13 8:05 AM, "Timothy Bennett" <timothy@drummondgroup.com> wrote: >I'm guessing, Makesh, that implementation occurs at the HTTP transport >layer, correct? Not at the AS4 message processing layer, right? You >are talking about HTTP Basic Auth, right? > >Theo's question is really about the AS4 MSH use case for the ebHandler >receiving a Pull Request with no WSSE token on the default MPC. It >would seem at first blush based on Section 2.3.1 and 3.3 that >"minimally" a pull request is authenticated by either a WSSE >username/password token -OR- the alternative use of HTTPs client authentication of an SSL certificate >(obviously X.509 authentication is also supported). Unlike the Minimal >Sender, which has a non-secure push scenario (presumably because the >receiver can "authenticate" using the Party-ID, et. al. in the as4 >message header), there is no provision of a "non-authenticated" pull >request -- even on the default MPC. > >Is my understanding correct, here? > >-----Original Message----- >From: Makesh Rao (marao) [mailto:marao@cisco.com] >Sent: Thursday, May 09, 2013 9:40 AM >To: Theo Kramer; ebxml-msg@lists.oasis-open.org >Subject: Re: [ebxml-msg] AS4 - clarification on pulling from the >default channel with no WS-Security UserName tokens > >Hi Theo > >We do support plain old basic auth in our implementation. This is >because some of our clients did not agree to support WS-S. They only >agreed to support the basic auth. So we built some authorization around >the username that we get access to and determine if there is a message >in the default queue. > >~Makesh > >On 5/9/13 5:34 AM, "Theo Kramer" <theo@flame.co.za> wrote: > >>Hi All >> >>I'm wondering if anyone could clarify what the expected use case >>should be when an AS4 pull signal message is received for the default >>MPC with no WS-Security user name tokens. >> >>Possibilities could include any of the following >> >>i Return any message stored on the default MPC for the default user as >>defined in section 4.3 of the ebms 3 core spec. >> >>ii Return an HTTP 401 authorisation failed unknown reason. >> >>-- >>Regards >>Theo >> >> >>--------------------------------------------------------------------- >>To unsubscribe from this mail list, you must leave the OASIS TC that >>generates this mail. Follow this link to all your TCs in OASIS at: >>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: >https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]