Tony Dean wrote:
First for webservices you don't want to use basic authentication... you want to use ws-security standard. And I experienced the same frustration that you are having... how do you integrate axis2 security into the containers security sandbox... as far as I can tell you can't. It appears that once you authenticated your web service with rampart module, you would then have to trigger the websphere security framework which would reauthenticate with these credentials and thereby produce a JAAS subject such that your business logic could use.
The WS-Security path is one that we'd like to follow, but not all of our clients are going to be able to do that, and to be honest I don't fully understand how we're supposed to implement that anyway. It's on the list, but in the interim the servlets themselves should be protected.
Otherwise, you go down the road of using basic authentication so that websphere can drive the authentication process implicilty... this is servlet based authentication and not web service based authentication.
Right. This is the road I want to follow for now. My understanding of the servlet spec is that the web.xml I have provided SHOULD engage authentication, even if it's only piddly-ole BASIC auth. So I'm trying to grok why it fails to do that.
I think you need to use the native websphere web service stack to do what you want. Please correct me if I am wrong.
I would expect, however, that you can use WebSphere's *servlet* stack to do authentication, which is what I wanted to do in the first place. We have explicitly moved away from the container-specific web service implementations, because we support our application on three app containers right now, with the possibility of others later.
-----Original Message----- From: Chris Rose [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 06, 2008 4:25 PM To: [email protected] Subject: WebSphere 6.1 security and Axis2 I am trying to deploy axis2 on WebSphere Application Server 6.1 in an enterprise application that contains additional EJB jars. I am able to invoke the web services with no difficulty (I can set breakpoints inside their implementations and see logging from our service implementation) so -- for the record -- Axis2 seems to be working as advertised. However, I have a problem, and I am hoping that someone with experience with Axis2 and WebSphere can point me down the path to fixing it. Our session beans -- to which we delegate for business logic from the web service facade -- require that the user be authenticated in the container. Not only is that a security concern, but we extract custom credentials from the Subject in order to do the work. The web services, however, despite my best effort, cannot be made to require authentication. I am not using ws-security, I am attempting to simply use HTTP basic authentication for the web application, but nothing I do can provoke WebSphere to provide me with a password request dialog for any of the servlets. I am testing this by navigating in a web browser to the service listing page, which simply bypasses all of the login modules defined in WEB_INBOUND in the container. Attached is the web.xml from the final, deployed axis2 WAR file. I would dearly like to know why this does not result in my being required to provide a password. If anyone can help me, I would be very grateful. -- Chris Rose Developer Planet Consulting Group (780) 577-8433 [EMAIL PROTECTED]--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Chris Rose Developer Planet Consulting Group (780) 577-8433 [EMAIL PROTECTED]
signature.asc
Description: OpenPGP digital signature
