The following table describes three optional entries in the Waveset.properties file that you can use to control how SPML requests are authorized.
Table 1–2 Optional Entries in Waveset.properties
Entry Name |
Description |
---|---|
soap.username |
Name of the Waveset user who performs SPML requests |
soap.password |
Clear text password for the user specified by soap.username |
soap.epassword |
Base-64 representation of an encrypted password for the user specified by soap.username |
The user specified in soap.username is known as the proxy user.
You can specify only one password property for the proxy user:
Specifying soap.password is the simplest option, but this property exposes a clear text password in the properties file.
Specifying soap.epassword is a more secure option, but you must perform extra steps to generate an encrypted password.
Establishing a proxy user is convenient for clients because authentication is not required by the web service. This configuration is common for portal environments where the Waveset server is only accessed by other applications that handle user authentication.
Using a proxy user can be dangerous if the HTTP port on which the responding server resides is generally accessible. Anyone who knows the Waveset server’s URL and understands how to build SPML requests can configure Waveset operations for the proxy user to perform.
The SPML standard does not specify how to perform authentication and authorization. Several related web standards are available for authentication, but these standards are not yet in common use. At this time, the most common approach for authentication is to use the Secure Socket Layer (SSL) between applications and the server. Waveset does not dictate how to configure SSL.
If you cannot use a proxy user or SSL, Waveset supports a vendor-specific extension to SPML that allows the client to log in and maintain a session token, which can be used to authenticate subsequent requests. You can use the LighthouseClient class (an extension of the SpmlClient class that includes support for specifying credentials) to perform a login request and pass a session token in all SPML requests.
The Service Provider SPML interface does not support authentication and authorization. However, you can configure the Waveset SPML interface to use the IDMXUser view instead of using Service Provider SPML.
Service Provider assumes that clients accessing Waveset have been authenticated and authorized by an access management application. The client has all possible rights when using the Service Provider SPML interface.
To prevent sensitive data from being exposed between the client and Waveset, consider accessing the Service Provider SPML interface over SSL.
Use one of the following methods to create an encrypted password:
Open the Waveset console and use the encrypt command.
Open the Waveset Debug pages or console and view the XML for the proxy user. Find the WSUser element for the password attribute value and use that value for the soap.epassword property.
To access the Debug pages, open the Waveset Administrator interface and type the following URL:
http://host:port/idm/debug
where host is the local server where Waveset is running, and port is the TCP port on which the server is listening.