RE: ServletSecurityProvider

Fri, 31 Jan 2003 08:28:24 -0800 

Trevor,

Here's how you set it up:

1) In web.xml, add the following init-param for the AxisServlet.  This
enables the provider by adding it as a MessageContext property:
        <init-param>
            <param-name>use-servlet-security</param-name>
            <param-value>1</param-value>            
        </init-param>

2) In web.xml set authentication method to BASIC.  (I wanted to use the
ServletSecurityProvider in my web service, but this is where I had the
problem.  I had to use FORM authentication, uggh.. If anyone knows how I can
set up Axis Security with FORM authentication, please let me know.)

3) In your WSDD (see below), add the Authentication and Authorization
Handlers and set up the roles that are authorized for your web service.
Note that the SimpleAuthenticationHandler looks for a SecurityProvider in
the MessageContext (which you added in Step 1).  If it doesn't find it, it
fails back to the SimpleSecurityProvider that authenticates against the
users.lst file.
  <service name="urn:xmltoday-delayed-quotes" provider="java:RPC">
    <parameter name="className" value="samples.stock.StockQuoteService"/>
    <parameter name="wsdlServicePort" value="GetQuote"/>
    <parameter name="allowedMethods" value="*"/>
    <parameter name="allowedRoles" value="admin"/>    
    <requestFlow name="checks">
      <handler
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
      <handler
type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
    </requestFlow>
  </service>

4) Pass the username/password in your client code.

If you have any more problems, use tcpmon.  It helped me figure out alot of
things in Axis.

Regards,

Tom





-----Original Message-----
From: Trevor Daniel Kramer [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 31, 2003 10:52 AM
To: [EMAIL PROTECTED]
Subject: ServletSecurityProvider


The javadoc says

A ServletSecurityProvider, combined with the ServletAuthenticatedUser
class, allows the standard servlet security mechanisms (isUserInRole(),
etc.) to integrate with Axis' access control mechanism. By utilizing this
class (which the AxisServlet can be configured to do automatically),
authentication and role information will come from your servlet engine.

But I can't find any instructions on how to set this up.  I would like to
use  a jdbc realm setup in tomcat to authenticate users to some soap
services.

Thanks,

Trevor

Reply via email to