hello, i'm facing problem regarding identity and user attributes propagation within web services architecture. my security concern is : user identity and user information should be propagated in secure way, integrity should be ensured. functional guys tell me that within soa architecture, all services must be "self-defined"... the service body should contain user information if the business behind the service needs the user informztion like user id for example... what do you think?

Frédéric, I'm not quite sure I understand your issues. Are you afraid you would need to replicate identity related data? Are you afraid you would need to pass such data in clear? There is no single good answer to these questions apart from: It's possible to do it well. The rest is really up to your environment, both technological and business. Are you familiar with WS-Security and WS-Trust? If you could elaborate or clarify I'm sure some of us on the list would be able to give you a hand. All the best, Pierre On 23 January 2012 20:53, Lebeau Frederic <frederic.lebeau@websurf.be>wrote: > hello, > > i'm facing problem regarding identity and user attributes propagation > within web services architecture. > my security concern is : > user identity and user information should be propagated in secure way, > integrity should be ensured. > functional guys tell me that within soa architecture, all services must be > "self-defined"... the service body should contain user information if the > business behind the service needs the user informztion like user id for > example... > > what do you think? > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >