Forum OpenACS Development: Re: Permissions on webservices

Collapse
Posted by Stefan Sobernig on
As Gustaf Neumann pointed out already, for remoting by our xotcl remoting services, you can use policies quite similar to xowiki's (though with some extra privileges/ conditions) on service implementations (in the sense of acs-service-contract). In this context, we call them "invocation access policies".
Concerning authentification, it seems that HTTP basic authentification is approach is at least a start and provide accounts for the remote sites.
These policies refer more or less to the enforcing part of such an access scheme, the way how you can transfer identity information in a remoting setting is quite manifold:
  • One might use basic http authentication mechanisms to transfer credentials.
  • Cookies can also be used!
  • You can pack the credentials as header information into SOAP messages etc.
Trust-related issues are a bit more complex to handle, but there are ideas around (WS-Security, WS-Trust) to tackle these. The above, however, should be sufficient to start with.