Thanks a lot for the detailed description! I think this will work fine
for me. One more question about this though: Can i read the username
inside the web service? Or is there any way of getting information like
the group a user belongs to inside the web service to read it there? It
sounds like the Service does get any of this info since the
authentication is completely transparent to the service itself.
Thanks.
Michael
by "Web Services are made out of Session EJBs" you mean you have
Session EJBs that expose a SOAP-over-HTTP interface? WSS4J uses 2
handlers, one client-side and one server-side (WSDoAllSender (client)
and WSDoAllReceiver (server)) which plug into the handler chain
supported by Axis to "intercept" the request on its way to the
server. WSDoAllSender adds a WSSecurity header to the SOAP message on
send (configured using a properties file). WSDoAllReceiver then
processes the incoming message, validates whatever it's configured to
validate and then passes the request on to your handlers/service (or
rejects the message if it does not validate properly). to add
UsernameTokens to a request and process them on the server requires a
CallbackHandler on the client side which can provide the password for
a user. this is then processed into a UsernameToken, included in the
SOAP header, and on the server side you'll need another
CallbackHandler which can provide the password for the user (pulled
from LDAP) which WSS4J will compare to what's provided in the
UsernameToken and thus authenicate the message before your service
(however it's implemented) ever gets called. it's quite transparent
for the most part. it also inserts a few entries in the
MessageContext so you can later determine what kind of authenication
has been done.
hth.
.......................ron.
Michael Rudolf wrote:
Is there any difference in case the Web Services are made out of
Session EJBs? Or does WSS4J work the same way in that case?
Thanks!
Michael
you may want to look at WSS4J and UsernameTokens. they're pretty
straight-forward as long as your client can support them. they are
part of
the WS-Security standard if you want to stick with "endorsed"
authentication
mechanisms. then on the server-side you'll typically need a JNDI
interface to
your LDAP server to authenticate the user on that side.
hth.
................ron.
Hi,
is there any tutorial or example for authenticating users of we
services
by username and pass over HTTPS? Can anybody explain in more detail
how
this works? Is there any alternative to it? I want to query axis web
sercvices from a portal. That uses LDAP for authetication. I would
like
to use the same directory for authenticating the users at the web
services that are being queried.
Thanks for any help!
Michael
