OASIS ebXML Messaging Services TC

  • 1.  AS4 - clarification on pulling from the default channel with no WS-Security UserName tokens

    Posted 05-09-2013 12:35
    Hi All I'm wondering if anyone could clarify what the expected use case should be when an AS4 pull signal message is received for the default MPC with no WS-Security user name tokens. Possibilities could include any of the following i Return any message stored on the default MPC for the default user as defined in section 4.3 of the ebms 3 core spec. ii Return an HTTP 401 authorisation failed unknown reason. -- Regards Theo


  • 2.  Re: [ebxml-msg] AS4 - clarification on pulling from the default channel with no WS-Security UserName tokens

    Posted 05-09-2013 14:40
    Hi Theo We do support plain old basic auth in our implementation. This is because some of our clients did not agree to support WS-S. They only agreed to support the basic auth. So we built some authorization around the username that we get access to and determine if there is a message in the default queue. ~Makesh On 5/9/13 5:34 AM, "Theo Kramer" <theo@flame.co.za> wrote: >Hi All > >I'm wondering if anyone could clarify what the expected use case should >be when an AS4 pull signal message is received for the default MPC with >no WS-Security user name tokens. > >Possibilities could include any of the following > >i Return any message stored on the default MPC for the default user as >defined in section 4.3 of the ebms 3 core spec. > >ii Return an HTTP 401 authorisation failed unknown reason. > >-- >Regards >Theo > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >


  • 3.  RE: [ebxml-msg] AS4 - clarification on pulling from the default channel with no WS-Security UserName tokens

    Posted 05-09-2013 15:05
    I'm guessing, Makesh, that implementation occurs at the HTTP transport layer, correct? Not at the AS4 message processing layer, right? You are talking about HTTP Basic Auth, right? Theo's question is really about the AS4 MSH use case for the ebHandler receiving a Pull Request with no WSSE token on the default MPC. It would seem at first blush based on Section 2.3.1 and 3.3 that "minimally" a pull request is authenticated by either a WSSE username/password token -OR- the alternative use of HTTPs client authentication of an SSL certificate (obviously X.509 authentication is also supported). Unlike the Minimal Sender, which has a non-secure push scenario (presumably because the receiver can "authenticate" using the Party-ID, et. al. in the as4 message header), there is no provision of a "non-authenticated" pull request -- even on the default MPC. Is my understanding correct, here?


  • 4.  Re: [ebxml-msg] AS4 - clarification on pulling from the default channel with no WS-Security UserName tokens

    Posted 05-09-2013 15:41
    Hi Timothy Yes, the authentication happens at the HTTP layer as you say, but since its is the MSH that needs to honor the Pull, we have had to build functionality to "trust" the gateway that does the authentication and use the credentials being passed to service the Pull. So if you ask how does your AS4 MSH handle a missing WSSE username/password? I'll say we don't throw an error and support an unauthenticated Pull because there is never a WSSE header in some cases. Thanks Makesh On 5/9/13 8:05 AM, "Timothy Bennett" <timothy@drummondgroup.com> wrote: >I'm guessing, Makesh, that implementation occurs at the HTTP transport >layer, correct? Not at the AS4 message processing layer, right? You are >talking about HTTP Basic Auth, right? > >Theo's question is really about the AS4 MSH use case for the ebHandler >receiving a Pull Request with no WSSE token on the default MPC. It would >seem at first blush based on Section 2.3.1 and 3.3 that "minimally" a pull >request is authenticated by either a WSSE username/password token -OR- the >alternative use of HTTPs client authentication of an SSL certificate >(obviously X.509 authentication is also supported). Unlike the Minimal >Sender, which has a non-secure push scenario (presumably because the >receiver can "authenticate" using the Party-ID, et. al. in the as4 message >header), there is no provision of a "non-authenticated" pull request -- >even >on the default MPC. > >Is my understanding correct, here? > >


  • 5.  RE: [ebxml-msg] AS4 - clarification on pulling from the default channel with no WS-Security UserName tokens

    Posted 05-09-2013 16:55
    Ok... so in this sense, it's not much different than the alternative pull authorization explicitly detailed in section 3.3 of the AS4 spec that uses the client authentication of a pull request over HTTPs. In the same way, the transport layer is providing the authentication and the MSH layer "trusts" the gateway and there's some glue between the two layers to make that seamless. We could have easily had a section in the AS4 spec that explicitly supports Basic Authentication for pull requests as an alternative method. I get it. Thanks.