Thanks for your response. Since I'm using J2ee container managed security and I'm calling the web service from the context of a resource the user has already authenticated to, all I need to do (hypothetically) is enable cookies for the axis call. The container should pick up the session ID and authenticate the user for me.
The problem I'm having now is getting Axis to send the cookies. Can this be done without a custom handler? Calling setMaintainSession(true) on the Call does not seem to be working. Wes -----Original Message----- From: Douglas Bitting [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:55 AM To: '[EMAIL PROTECTED]'; 'Wes Hinkle' Subject: RE: J2EE Container Manages Security Without getting into too much detail, this isn't difficult to do. +) Put a handler in the requestFlow of your service. For example, <service ...> ... <requestFlow> <handler type="java:your.handler.class.here"/> </requestFlow> </service> +) Your handler class should extend BasicHandler and implement invoke(MessageContext msgContext). +) You can pick up the username/password from the message context. If you are using HTTP BASIC authentication, the protocol requestFlow handler HTTPAuthHandler should have populated msgContext.getUsername() and msgContext.getPassword(). If you're using some other method to pass username/password, this step is left up to you to figure out... :-) +) Use weblogic.servlet.security.ServletAuthentication.weak(username, password, session) to authenticate. This works for me on WL 6.1... --Doug -----Original Message----- From: Wes Hinkle [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:44 AM To: '[EMAIL PROTECTED]' Subject: J2EE Container Manages Security Has anyone had any experience integrating Axis services with WebLogic container managed security? I have a web service is called from an applet in the context of a Web application. The user is authenticated by the Web tier. The service calls an EJB and must return data based on the caller principle. getCallerPrinciple() always returns 'guest'. - I've tried configuring the web service to pass the sessionId with the request by calling setMaintainSession(true) on the Call object and configuring the scope of the service to 'Session' - I've also tried putting a security constraint in Web.xml allowing the role everyone access to the url pattern services/* (this broke connectivity to the service) Any suggestions would be greatly appreciated. Wes
