SOAP Authentication

Introduction  SOAP is XML based lightweight protocol for exchange of information in a decentralized, distributed environment. Since SOAP is being used to provide web services there is need to provide for an authentication mechanism, so that only users with valid credentials can access the web services. We have tried to implement a mechanism in which we authenticate the user using the basic HTTP authorization as the underlying mechanism. We are able to authenticate a user based on the web service and method he is trying to access. 

How it works We have demonstrated our implementation by using Apache Web Server and Tomcat servlet container. In order to do the authentication we implemented a module (mod_soap_auth) in Apache. Whenever the web server receives a soap request the mod_soap_auth module handles it. It first checks if it is a soap request, if its it first checks for the authentication of the user using the mod_auth. If the authorization succeeds and the request has come for the first time, a token is put into the header and time stamped and the request is forwarded SoapAuthentication servlet. This servlet now checks if the user has the privileges to a access the particular web service and method. If he doesn't has privilege this servlet returns the SOAP Fault. Otherwise it redirects it to the web server. When the web server receives the request for second time, the token is already present, it checks for the time stamp and if its valid it directs it directly to the servlet handling soap requests.

Fig 1. How a soap request is handled