SOAP header: why authenticate in the header and not the body?
whats the differences between putting the user's credentials (username/password) in the header vs the user's credentials (username/password) in the body?
+1
A:
SOAP follows a format which defines the Body as the message. The Header is open ended to some degree and can be used for varying reasons by varying frameworks, whereas the Body has a sole purpose, transmitting the message.
Aaron
2010-10-19 16:42:23
A:
well, authenticating in the SOAP Header can allow a single piece of code to authenticate all requests into the SOAP WS without knowing the actual contents of the SOAP Envelope. This can greatly reduce the amount of code you need to authenticate your services.
If you don't put it in the header, you'll need to do the authentication at the time of processing the Service, which is more expensive than NOT processing the service at all if authentication fails
Anatoly G
2010-10-19 16:42:40
Well, it would usually go into some sort of a filter BEFORE it gets to your handler. This is really easy to do w/ Servlets. A Filter would intercept the request before it goes to the handler. The filter would then get the headers, figure out the authentication, and if not correct, would NOT pass the request to the handler. This way, the handler is only being activated when the request is valid.
Anatoly G
2010-10-19 16:50:17
ahh i think i get what you mean..
K001
2010-10-19 16:52:48
hmm you still have to check the credientials again within the methods.
K001
2010-10-19 16:55:20
you MAY for Authorization, but not for Authentication. These are different concerns. You can also use the Filter to insert items into the Session, this way you won't have to go back to DB for user info. Again, you want to do things that are expensive once.
Anatoly G
2010-10-19 16:56:47