A.5. Access Control and Authentication

The SOAP contains no facilities for providing security, accountability or billing, assuming rather that these are functions of the underlying transport layer. As mentioned in the previous section, SOAP datagrams can be transported over many protocols. Each of these transport methods has different methods of implementing access control and authentication.

Since we are using the HTTP protocol to implement the service discussed in this paper, we will focus exclusively on the security methods provided by this protocol, and specifically in the way the Apache web server implements these.

The most basic way of providing security for a web service is to limit the clients that can talk to it. This can be done based on the client machine's hostname, domain name, IP address or network address. Host based access control, as this is commonly known, defines a set of trusted (and perhaps untrusted) hosts. If a host is trusted, anyone who uses that host will be able to use the service. Host based access control is a function of the web server, and its implementation may vary from server to server.

Obviously, this is not always ideal. Computers are often shared by many people, and sometimes one wants to be able to allow some of these users and not others. In the same way, one might want to allow a particular user to connect to the service from anywhere.

When an HTTP server wishes to restrict access to a particular web page or service, it sends the client a WWW-Authenticate header. If the client wishes to be granted access to the page, it must reply with an Authorization header containing a valid username and password for the service [10]. This authentication method is built into the HTTP protocol, so should be available on all web servers.

The main advantage of user-based access control is that it provides the service with a username that represents the client. This username can be used for many things, including message threading, accounting, etc. Some of these uses are discussed later in the paper.

One of the prime disadvantages of user-based access control is that the method requires that clear-text passwords be sent in the HTTP headers. This problem is not limited just to passwords, however. Using a standard HTTP connection, the content of the SOAP datagram is also prone to snooping. The simplest solution to this problem is to use transaction layer security (TLS), better known as the secure sockets layer (SSL).

TLS provides an encrypted medium to transfer the HTTP headers and data. This encrypted session is established before any information is transmitted, which solves both the problem of clear-text passwords, and the readability of the SOAP datagram. For this reason, the web service described in this paper is accessible via a standard secure HTTP (HTTPS) connection as well as normal HTTP.