[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wsrp-interop] Re: [wsrp] Anonymous User
yes, there are other systems.
The ones I know, once they attach a config, if there is not the requied
authentication information, they reject the message.
This can currently be only solved by having two port definitions (one
secured, one unsecured).
Mit freundlichen Gruessen / best regards,
Richard Jacob
______________________________________________________
IBM Lab Boeblingen, Germany
Dept.8288, WebSphere Portal Server Development
WSRP Technical Lead
WSRP Standardization
Phone: ++49 7031 16-3469 - Fax: ++49 7031 16-4888
Email: mailto:richard.jacob@de.ibm.com
Rich Thompson
<richt2@us.ibm.co
m> To
wsrp-interop@lists.oasis-open.org
08/08/06 02:00 PM cc
Subject
[wsrp-interop] Re: [wsrp] Anonymous
User
I suspect most systems default to the guest user (if allowed) when no user
credentials are supplied. Is anyone aware of systems not following this
behavior?
Rich
Nathan Lipke
<nlipke@bea.com>
To
08/08/2006 01:36 AM Michael Freedman
<michael.freedman@oracle.com>
cc
wsrp <wsrp@lists.oasis-open.org>,
wsrp-interop@lists.oasis-open.org
Subject
Re: [wsrp] Anonymous User
True, WS-Security does not account for anonymous/guest users. SAML
suffers from the same issue. I'm a little concerned about using a string
for the username as it may interfere with existing username token
implementations. Perhaps we should sign something else (the body or a
timestamp) in the case of the anonymous user.
--
Nate
Michael Freedman wrote:
> Folks, it doesn't look like there is a formal convention in
> WS-Security to pass an anonymous/guest user identity particularly when
> relying on UserName Token or Username token with password. Am I
> mistaken? If not I wonder if there is an accidental convention in our
> wsrp implementations -- what if anything do you do in this regards?
>
> To be clear we are concerned about a situtation in which the consumer
> identifies itself to the producer (via a digital signature) and wants
> to use the UserName Token mechanism to identify the user on whose
> behalf this consumer is making the request. We want a known
> form/value that (wsrp) intercepters/the security system (if it
> supports such a concept) will map to an anonymous user/guest. Should
> this be (a nil) the lack of a UserName token? A UserName token whose
> value is ""? A Username token whose value is wsrp:minimal? Any of
> these?
> -Mike-
_______________________________________________________________________
Notice: This email message, together with any attachments, may contain
information of BEA Systems, Inc., its subsidiaries and affiliated
entities, that may be confidential, proprietary, copyrighted and/or
legally privileged, and is intended solely for the use of the individual
or entity named in this message. If you are not the intended recipient,
and have received this message in error, please immediately return this
by email and then delete it.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]