Originally posted by Stanley Tan:
Mark,
I'm using SOAP headers right now for authentication. I have a .NET Web service that exposes Web methods but requires a SOAP header to be passed along with the invocation. I've created a Java stub to the .NET Web service using AXIS and all is working fine until I call a method that requires a SOAP header. How do I go about specifying a SOAP header from a Java client that uses a stub generated from AXIS? Thanks for any input!
Stanley
Hi Stanley
Putting security data into SOAP headers now means using WS-Security. In terms of AXIS-friendly toolkits for WS-Security, the IBM WSTK is the most useful [e.g. by comparison, VeriSign's TSIK implements WS-Security but has its own SOAP stack].
WS-Security defines how security information is included in a SOAP header. At a simple level, it defines a "Security" element, and the format of security tokens which are put into that element (e.g. a UsernameToken for userid/password, or a BinarySecurityToken for an X.509 digital certificate). It also defines how to apply XML Signature and XML Encryption to these security headers, and to the rest of a SOAP message also.
You haven't specified which security parameters should go into the SOAP header, but let's say if you want to use the Java WSTK to include an X.509 certificate, then (ironically) the best place to learn how to do this is at this MSDN article:
http://msdn.microsoft.com/library/en-us/dnwebsrv/html/wsejavainterop.asp As usual with Axis, you have to configure a deployment descriptor (WSDD file). The WSDK uses information in this file to determine the signing key, which is taken from a Java keystore (JKS). Note that the private key password and the JKS password both sit in the clear - this clearly isn't ideal and care should be taken that access to this WSDD file is guarded.