The Authentication and Authorization Handlers apply to the entire service description, so you'd have to declare two services in your WSDD, one with security handlers and one without:
<service name="RS3" provider="java:RPC"> <parameter name="allowedMethods" value="getName"/> <parameter name="scope" value="Application"/> <parameter name="className" value="com.vpharm.soap.RS3"/> <parameter name="allowedRoles" value="rs3"/> <requestFlow name="checks"> <handler type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/> <handler type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/> </requestFlow> </service> <service name="RS3A" provider="java:RPC"> <parameter name="methodName" value="getEmail"/> <parameter name="scope" value="Application"/> <parameter name="className" value="com.vpharm.soap.RS3"/> </service> Of course this will create two instances of your service, but since you have them defined in Application scope, I'm assuming the implementations do not need to maintain state between calls. See the Reference Guide on the Axis site for more info on the WSDD. Tom -----Original Message----- From: Trevor Daniel Kramer [mailto:[EMAIL PROTECTED]] Sent: Friday, January 31, 2003 8:21 PM To: '[EMAIL PROTECTED]' Subject: RE: ServletSecurityProvider Thanks - That worked great. One more question. Is there a way to specifiy that only certain methods within a service need to be authenticated? For instance given this wsdd: <service name="RS3" provider="java:RPC"> <parameter name="methodName" value="*"/> <parameter name="scope" value="Application"/> <parameter name="className" value="com.vpharm.soap.RS3"/> <parameter name="allowedRoles" value="rs3"/> <requestFlow name="checks"> <handler type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/> <handler type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/> </requestFlow> </service> Is there a way to specify that the methods getName should use security but getEmail should not? Trevor On Fri, 31 Jan 2003, Keeney, Thomas wrote: > Trevor, > > Here's how you set it up: > > 1) In web.xml, add the following init-param for the AxisServlet. This > enables the provider by adding it as a MessageContext property: > <init-param> > <param-name>use-servlet-security</param-name> > <param-value>1</param-value> > </init-param> > > 2) In web.xml set authentication method to BASIC. (I wanted to use the > ServletSecurityProvider in my web service, but this is where I had the > problem. I had to use FORM authentication, uggh.. If anyone knows how I can > set up Axis Security with FORM authentication, please let me know.) > > 3) In your WSDD (see below), add the Authentication and Authorization > Handlers and set up the roles that are authorized for your web service. > Note that the SimpleAuthenticationHandler looks for a SecurityProvider in > the MessageContext (which you added in Step 1). If it doesn't find it, it > fails back to the SimpleSecurityProvider that authenticates against the > users.lst file. > <service name="urn:xmltoday-delayed-quotes" provider="java:RPC"> > <parameter name="className" value="samples.stock.StockQuoteService"/> > <parameter name="wsdlServicePort" value="GetQuote"/> > <parameter name="allowedMethods" value="*"/> > <parameter name="allowedRoles" value="admin"/> > <requestFlow name="checks"> > <handler > type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/> > <handler > type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/> > </requestFlow> > </service> > > 4) Pass the username/password in your client code. > > If you have any more problems, use tcpmon. It helped me figure out alot of > things in Axis. > > Regards, > > Tom > > > > > > -----Original Message----- > From: Trevor Daniel Kramer [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 31, 2003 10:52 AM > To: [EMAIL PROTECTED] > Subject: ServletSecurityProvider > > > The javadoc says > > A ServletSecurityProvider, combined with the ServletAuthenticatedUser > class, allows the standard servlet security mechanisms (isUserInRole(), > etc.) to integrate with Axis' access control mechanism. By utilizing this > class (which the AxisServlet can be configured to do automatically), > authentication and role information will come from your servlet engine. > > But I can't find any instructions on how to set this up. I would like to > use a jdbc realm setup in tomcat to authenticate users to some soap > services. > > Thanks, > > Trevor >