My hypothesis is based the way j2ee container managed security works. The session state is maintained on the server, so the client only has to authenticate once per session (the first time it requests a resource). From then on, until the session expires or the user closes the browser, all requests to the same server contain an ID in the cookie which the container uses to retrieve the session info for the client.
Now if I could only figure out how to send the cookie... Wes -----Original Message----- From: Douglas Bitting [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 10:03 AM To: '[EMAIL PROTECTED]'; 'Wes Hinkle' Subject: RE: Enabling HTTP Coookies (was J2EE Container Manages Security) Hmmm... I think your hypothesis is incorrect. Presumably, this is what your setup looks like: http http HTTP Client ------> Servlet/J2EE ------> Web Service If this is the case, then the session between the HTTP Client and the Servlet/J2EE node is authenticated. However, the connection between Servlet/J2EE and the Web Service is an entirely different connection and needs its own authentication/authorization step. That is, the security context does not propogate since it is an entirely different HTTP connection. Cheers, --Doug -----Original Message----- From: Sent: Wednesday, June 26, 2002 9:51 AM To: '[EMAIL PROTECTED]' Subject: Enabling HTTP Coookies (was J2EE Container Manages Security) Thanks for your response. Since I'm using J2ee container managed security and I'm calling the web service from the context of a resource the user has already authenticated to, all I need to do (hypothetically) is enable cookies for the axis call. The container should pick up the session ID and authenticate the user for me. The problem I'm having now is getting Axis to send the cookies. Can this be done without a custom handler? Calling setMaintainSession(true) on the Call does not seem to be working. Wes -----Original Message----- From: Douglas Bitting [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:55 AM To: '[EMAIL PROTECTED]'; 'Wes Hinkle' Subject: RE: J2EE Container Manages Security Without getting into too much detail, this isn't difficult to do. +) Put a handler in the requestFlow of your service. For example, <service ...> ... <requestFlow> <handler type="java:your.handler.class.here"/> </requestFlow> </service> +) Your handler class should extend BasicHandler and implement invoke(MessageContext msgContext). +) You can pick up the username/password from the message context. If you are using HTTP BASIC authentication, the protocol requestFlow handler HTTPAuthHandler should have populated msgContext.getUsername() and msgContext.getPassword(). If you're using some other method to pass username/password, this step is left up to you to figure out... :-) +) Use weblogic.servlet.security.ServletAuthentication.weak(username, password, session) to authenticate. This works for me on WL 6.1... --Doug -----Original Message----- From: Wes Hinkle [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:44 AM To: '[EMAIL PROTECTED]' Subject: J2EE Container Manages Security Has anyone had any experience integrating Axis services with WebLogic container managed security? I have a web service is called from an applet in the context of a Web application. The user is authenticated by the Web tier. The service calls an EJB and must return data based on the caller principle. getCallerPrinciple() always returns 'guest'. - I've tried configuring the web service to pass the sessionId with the request by calling setMaintainSession(true) on the Call object and configuring the scope of the service to 'Session' - I've also tried putting a security constraint in Web.xml allowing the role everyone access to the url pattern services/* (this broke connectivity to the service) Any suggestions would be greatly appreciated. Wes
