Instead of including the username/password in the SOAP envelope, use HTTP authentication (AXIS will extract the authentication information from the HTTP headers and populate username and password in MessageContext for you), then you can either use Digest authentication, or Basic authentication over SSL.
HTH, Ian Ian D. Stewart Open Systems Engineer II Enterprise Midrange - Bank One Infrastructure & Operations [EMAIL PROTECTED] (614) 244-2564 Jon Blower <[EMAIL PROTECTED]> on 10/06/2003 09:33:01 AM Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject: Simple username-password security with Axis? Dear Axis users, I would like to add a very basic level of security to my Web Service. I would like users to be authenticated by simply including a username and password in the SOAP message when calling the Web Service. What's the easiest way of encrypting the username/password so it can't be decrypted if someone intercepts the SOAP message? I don't need a solution with maximum security - the authentication is basically to keep track of who's using the Web Service and to provide different levels of access to different users. The Web Service in question involves significant server load, so the security is just intended to prevent unauthenticated users submitting requests that will hold up the server. I have even considered sending the username/password unencrypted, but ideally I would like a bit more security than this if it's not hard to implement. Only the username/password part of the message would have to be encrypted. I've looked on the Web for appropriate toolkits/APIs but haven't been able to track down an obvious solution. Thanks in advance for any help or advice, Jon -- -------------------------------------------------------------- Dr Jon Blower Tel: +44 118 378 5213 (direct line) Research Fellow Tel: +44 118 378 8741 (ESSC) ESSC Fax: +44 118 378 6413 University of Reading Email: [EMAIL PROTECTED] 3 Earley Gate Reading RG6 6AL, UK -------------------------------------------------------------- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.
