Thanks - That worked great. One more question. Is there a way to
specifiy that only certain methods within a service need to be
authenticated?
For instance given this wsdd:
<service name="RS3" provider="java:RPC">
<parameter name="methodName" value="*"/>
<parameter name="scope" value="Application"/>
<parameter name="className" value="com.vpharm.soap.RS3"/>
<parameter name="allowedRoles" value="rs3"/>
<requestFlow name="checks">
<handler
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<handler
type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
</requestFlow>
</service>
Is there a way to specify that the methods getName should use security
but getEmail should not?
Trevor
On Fri, 31 Jan 2003, Keeney, Thomas wrote:
> Trevor,
>
> Here's how you set it up:
>
> 1) In web.xml, add the following init-param for the AxisServlet. This
> enables the provider by adding it as a MessageContext property:
> <init-param>
> <param-name>use-servlet-security</param-name>
> <param-value>1</param-value>
> </init-param>
>
> 2) In web.xml set authentication method to BASIC. (I wanted to use the
> ServletSecurityProvider in my web service, but this is where I had the
> problem. I had to use FORM authentication, uggh.. If anyone knows how I can
> set up Axis Security with FORM authentication, please let me know.)
>
> 3) In your WSDD (see below), add the Authentication and Authorization
> Handlers and set up the roles that are authorized for your web service.
> Note that the SimpleAuthenticationHandler looks for a SecurityProvider in
> the MessageContext (which you added in Step 1). If it doesn't find it, it
> fails back to the SimpleSecurityProvider that authenticates against the
> users.lst file.
> <service name="urn:xmltoday-delayed-quotes" provider="java:RPC">
> <parameter name="className" value="samples.stock.StockQuoteService"/>
> <parameter name="wsdlServicePort" value="GetQuote"/>
> <parameter name="allowedMethods" value="*"/>
> <parameter name="allowedRoles" value="admin"/>
> <requestFlow name="checks">
> <handler
> type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
> <handler
> type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
> </requestFlow>
> </service>
>
> 4) Pass the username/password in your client code.
>
> If you have any more problems, use tcpmon. It helped me figure out alot of
> things in Axis.
>
> Regards,
>
> Tom
>
>
>
>
>
> -----Original Message-----
> From: Trevor Daniel Kramer [mailto:[EMAIL PROTECTED]]
> Sent: Friday, January 31, 2003 10:52 AM
> To: [EMAIL PROTECTED]
> Subject: ServletSecurityProvider
>
>
> The javadoc says
>
> A ServletSecurityProvider, combined with the ServletAuthenticatedUser
> class, allows the standard servlet security mechanisms (isUserInRole(),
> etc.) to integrate with Axis' access control mechanism. By utilizing this
> class (which the AxisServlet can be configured to do automatically),
> authentication and role information will come from your servlet engine.
>
> But I can't find any instructions on how to set this up. I would like to
> use a jdbc realm setup in tomcat to authenticate users to some soap
> services.
>
> Thanks,
>
> Trevor
>
