The Content Platform Engine server accepts incoming requests over two transport protocols: an Enterprise Java™ (EJB) transport and a web service transport. Authentication over the EJB transport is extensible through use of the JAAS standard. The Java Platform, Enterprise Edition (Java EE) application server authenticates callers before they can access the EJB. For information about extensible authentication over the EJB transport, see the JAAS links in Resources.
WS-EAF provides a pluggable authentication mechanism for the web service transport. The authentication mechanism in WS-EAF is based on the WS-Security OASIS standard and implemented with the JAAS standard.
The WS-Security standard defines how security credentials are formatted and inserted in a web service request. When a web service request arrives in the Content Platform Engine server, the Content Engine web service listener extracts the WS-Security header and performs a JAAS login that is based on its contents. If this JAAS login is successful, then the web service listener passes the request to the Content Engine EJB layer within the EJB container.
The Content Engine web service provides support for the WS-Security Username Token profile and the Kerberos profile. Support for other WS-Security-compliant approaches can be added through the WS-EAF. For links to information about the WS-Security standard and JAAS, see Resources.
In general, to extend Content Engine web services authentication, you must write a custom LoginModule and plug it into WS-EAF. Depending on the targeted application server and actual authentication mechanism, the process might be complex and require a thorough understanding of the authentication framework of different application servers.
WS-EAF supports both Java and .NET web service clients when you are using the web service transport in the Content Platform Engine server. Java clients include stand-alone Java applications, servlets, and JavaServer Pages (JSP). There are many tools available to aid in writing Java based web service applications. You can program a Java web service client by using Java API for XML-based RPC (JAX-RPC), Java API for XML Messaging (JAXM), or Apache WSS4J.
In the .NET environment, Microsoft .NET Framework 3.0 with Windows Communication Foundation (WCF) is the recommended API environment for developing web service-based clients. See Resources for links to information sources for web service client development. To take advantage of WS-EAF, users of the Content Engine .NET API can also easily send requests to the Content Platform Engine server by using the custom token types.