Skip to Content
avatar image
Former Member

User authentication for SOAP service

Hi,

Currently we are developing a SOAP to RFC scenario for our client. We will receive the request from a website and process the data and send back the response to the website itself. We have successfully implemented the interface, but the source system owners are not happy with enclosing the username and password in the URL itself. They feel it as a security threat to enclose the username and password in it. Currently we have provided the url in the below format,

https://hostname:port/XISOAPAdapter/MessageServlet?channel=:Businesssystem:CommunnicationChannel&nosoap=true&sap-user=username&sap-password=password

Is there anything that could be done, so that we don't have to provide the username and password in the URL. Also they mentioned that they don't have a provision like the SOAP UI tool to enter the username and password in their system, where they can only pass the URL. The source application uses Java for their development.

Kindly help me on this.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Mar 05, 2012 at 11:08 AM

    Hi,

    When you provide a username and password in SOAP UI, it is then passed to the SOAP Header, and later on it is read by PI from there for authentication test. Using user name and password in URL is only an alternative for this basic method.

    Now, since the sender system is some Java tool, it can use the normal SOAP authentication in the SOAP Header. Please find an example here on how you can add the SOAP Header Authentication to a web service call:

    http://www.codeproject.com/Articles/4398/Authentication-for-Web-Services-using-SOAP-headers

    And just like Mark and Shabarish, I would definitely not recommend turning off the authentication for the whole adapter. It is by far less safe then providing user name and password in the URL 😊

    Hope this helps,

    Greg

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 05, 2012 at 06:17 AM

    Hello,

    Is there anything that could be done, so that we don't have to provide the username and password in the URL. Also they mentioned that they don't have a provision like the SOAP UI tool to enter the username and password in their system, where they can only pass the URL. The source application uses Java for their development.

    Disabling the authentication will disable it for the whole SOAP sender adapter. You can check the replies in this thread by Bhavesh regarding the creation of a userID

    authentication-for-webservice

    Hope this helps,

    Mark

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 05, 2012 at 10:59 AM

    yes. currently there is indeed an option to disable the authentication but it is not at a specific soap adapter level but the entire soap adapter component itself.

    refer the solution here that is not recommended for production scenarios 😊 Exposing anonymous WS

    Add comment
    10|10000 characters needed characters exceeded