Re: Securing Hessian messages

I wonder why SSL isn't an option?  We've been very successful in getting SSL to working with Hessian using client certificate authentication.  I've also added a servlet filter to pre-process Hessian requests to so I can restrict access based on method names. 

 

Suggestion, perhaps you could use Hessian to serialize a javax.crypto.SealedObject.

 

 

 

---

From: hessian-interest-bounces-p4ZHcaHNc0TQT0dZR+AlfA@xxxxxxxxxxxxxxxx [mailto:hessian-interest-bounces-p4ZHcaHNc0TQT0dZR+AlfA@xxxxxxxxxxxxxxxx] On Behalf Of Scott Ferguson
Sent: Monday, June 11, 2007 12:52 PM
To: Serge Merzliakov
Cc: hessian-interest-p4ZHcaHNc0TQT0dZR+AlfA@xxxxxxxxxxxxxxxx
Subject: Re: [Hessian-interest] Securing Hessian messages

On Jun 4, 2007, at 10:46 PM, Serge Merzliakov wrote:

     As a newcomer, I don't know much about Hessian (my day job requires WS-Security, SOAP and the orthodox SOA stack...) but I have got the samples working and like the simplicity very much. Are there any plans to encrypt messages or some other message level security (this excludes SSL) ? I know this strays into the WS-Security space (and we don't wan't to reinvent the WS-* wheel) but it would be a compelling argument for serious evaluation in most firms considering SOA. 

I've added this as a bug report as: http://bugs.caucho.com/view.php?id=1793

I'd need to take a look to see if it's possible to add that kind of capability without increasing the complexity. 

-- Scott

_______________________________________________
hessian-interest mailing list
hessian-interest-p4ZHcaHNc0TQT0dZR+AlfA@xxxxxxxxxxxxxxxx
http://maillist.caucho.com/mailman/listinfo/hessian-interest