I manage to have something like that working with Axis and Tomcat/JBoss, but I am not 100% sure that this is the same setup as yours. What is confusing me is the setup described:
http http
HTTP Client ------> Servlet/J2EE ------> Web Service
I am not sure I understand the Servlet/J2EE ------> Web Service via http, unless your servlet implementation is calling the web service using axis java client API (which I am not sure it is the case when I read the initial email).
My setup with Tomcat/Jboss is something like that:
http EJB
HTTP Client ------> Servlet/J2EE ------> EJB implementation
The Servlet/J2EE is actually the Axis servlet deployed as a web application in Tomcat/JBoss, meaning that the Servlet is the web service. This web service is then using an EJB as part of its implementation.
What I managed to do is the following:
- HTTP Client is either a .NET application or a java one using the Axis client java API (but none of them running within an applet). The Servlet is the Axis servlet deployed as a web application in Tomcat/JBoss.
- My Web service is using the EJB provider of Axis (meaning that the web service implementation is an EJB, meaning that within the context of the servlet I have an EJB client object talking to an EJB server object deployed separately in the JBoss EJB container).
In the case of the java HTTP client something like that is enough:
Call call = (Call) service.createCall ();
call.setUsername (userName);
call.setPassword (userPassword);
No need to maintain session or anything like that, this is a separate issue from authentication, I think.
In the web.xml of the Axis servlet, I have something like that to make the authentication mandatory:
<security-constraint>
<web-resource-collection>
<web-resource-name>Axis FirstService</web-resource-name>
<description>Authentication required for Axis FirstService</description>
<url-pattern>/services/FirstService/*</url-pattern>
<!--No specific http-method specified, means that security applies to-->
<!--all methods (GET, POST, ...)-->
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
<role-name>role2</role-name>
<role-name>role3</role-name>
</auth-constraint>
<!--No encryptions (SSL) required for FirstService-->
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
I will not give extra details in the Tomcat/JBoss configuration (since tomcat/jboss specific), but it was a little bit tricky to make sure that the authentication information created in the servlet engine (tomcat) are passed to the ejb engine (jboss). For example, it is working only with JBoss and tomcat running in the same JVM.
But at the end, everything worked fine. User gets authenticated in through the servlet, and same user is used in the ejb context.
Thomas
-----Original Message-----
From: Wes Hinkle [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 26, 2002 1:17 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Enabling HTTP Coookies (was J2EE Container Manages
Security)
My hypothesis is based the way j2ee container managed security works. The
session state is maintained on the server, so the client only has to
authenticate once per session (the first time it requests a resource). From
then on, until the session expires or the user closes the browser, all
requests to the same server contain an ID in the cookie which the container
uses to retrieve the session info for the client.
Now if I could only figure out how to send the cookie...
Wes
-----Original Message-----
From: Douglas Bitting [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 26, 2002 10:03 AM
To: '[EMAIL PROTECTED]'; 'Wes Hinkle'
Subject: RE: Enabling HTTP Coookies (was J2EE Container Manages
Security)
Hmmm... I think your hypothesis is incorrect. Presumably, this is what your
setup looks like:
http http
HTTP Client ------> Servlet/J2EE ------> Web Service
If this is the case, then the session between the HTTP Client and the
Servlet/J2EE node is authenticated. However, the connection between
Servlet/J2EE and the Web Service is an entirely different connection and
needs its own authentication/authorization step. That is, the security
context does not propogate since it is an entirely different HTTP
connection.
Cheers,
--Doug
-----Original Message-----
From:
Sent: Wednesday, June 26, 2002 9:51 AM
To: '[EMAIL PROTECTED]'
Subject: Enabling HTTP Coookies (was J2EE Container Manages Security)
Thanks for your response. Since I'm using J2ee container managed security
and I'm calling the web service from the context of a resource the user has
already authenticated to, all I need to do (hypothetically) is enable
cookies for the axis call. The container should pick up the session ID and
authenticate the user for me.
The problem I'm having now is getting Axis to send the cookies. Can this be
done without a custom handler? Calling setMaintainSession(true) on the Call
does not seem to be working.
Wes
-----Original Message-----
From: Douglas Bitting [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 25, 2002 11:55 AM
To: '[EMAIL PROTECTED]'; 'Wes Hinkle'
Subject: RE: J2EE Container Manages Security
Without getting into too much detail, this isn't difficult to do.
+) Put a handler in the requestFlow of your service. For example,
<service ...>
...
<requestFlow>
<handler type="java:your.handler.class.here"/>
</requestFlow>
</service>
+) Your handler class should extend BasicHandler and implement
invoke(MessageContext msgContext).
+) You can pick up the username/password from the message context. If you
are using HTTP BASIC authentication, the protocol requestFlow handler
HTTPAuthHandler should have populated msgContext.getUsername() and
msgContext.getPassword(). If you're using some other method to pass
username/password, this step is left up to you to figure out... :-)
+) Use weblogic.servlet.security.ServletAuthentication.weak(username,
password, session) to authenticate.
This works for me on WL 6.1...
--Doug
-----Original Message-----
From: Wes Hinkle [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 25, 2002 11:44 AM
To: '[EMAIL PROTECTED]'
Subject: J2EE Container Manages Security
Has anyone had any experience integrating Axis services with WebLogic
container managed security?
I have a web service is called from an applet in the context of a Web
application. The user is authenticated by the Web tier. The service calls an
EJB and must return data based on the caller principle. getCallerPrinciple()
always returns 'guest'.
- I've tried configuring the web service to pass the sessionId with the
request by calling setMaintainSession(true) on the Call object and
configuring the scope of the service to 'Session'
- I've also tried putting a security constraint in Web.xml allowing the role
everyone access to the url pattern services/* (this broke connectivity to
the service)
Any suggestions would be greatly appreciated.
Wes
