Andre - authentication is orthogonal to session management.... You may choose to secure the web service in the same manner as normal web applications.
Axis does have an authentication plug-point that may be used to hook in a specific *application-level* security mechanisms for authorization and authentication. See org.apache.axis.security classes and org.apache.axis.handlers.SimpleAuthenticationHandler. Usage of the authN and authZ handler can be found in /samples/stock and /samples/jaxrpc. More information on securing web services can be found at the Axis website; http://ws.apache.org/axis/java/security.html and on the wiki at http://nagoya.apache.org/wiki/apachewiki.cgi?AxisProjectPages The upcoming O'reilly book on Axis devotes a chapter that dives down into specific Axis security mechanisms (authentication, authorization, encryption, signing) and their use. The material will be posted on TSS soon... /Chris http://cvs.apache.org/~haddadc Co-author of Apache Axis: The Definitive Guide, to be published in 2004 -----Original Message----- From: Andre Charbonneau [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 4:06 PM To: [EMAIL PROTECTED] Subject: Re: Services sharing same session Hi, Can this technique be used to go from a form-based authenticated servlet to a basic-auth protected web service? For example, if a servlet that is protected by form-based auth needs to make a web service call that is protected by basic-auth, will this method authenticate the user in the web service call? , or will axis still look for username/password arguments in the request? Thanks. Andre. chris wrote: > Hi Magnus - My upcoming book on Axis to be published by O'Reilly will > cover this topic in depth. > > Basically, you need to capture the Axis session ID from the first > service that you call and pass the ID across all the instantiated > service objects. > > For example, > > void CallServices() { > > // create the service locator object > CqServiceLocator oServiceLocator = new CqServiceLocator(); > > // this will globally set all client calls to maintain session state > // NOTE: SimpleSessionHandler must be present in the flows on both the > // client and server > oServiceLocator.setMaintainSession(true); > > // CALL Service to Initialize Session ID !!! > oServiceLocator.getCq().callMethod(); > > // Grab the service session id > Long oId = getSessionId(oCqServiceLocator); > > TpServiceLocator oTpServiceLocator = new TpServiceLocator(); > > // Link the ticketPurchase session to the concertQuery session !! > setSessionId(oTpServiceLocator,oId); > > // call Tp methods > } > > static public void setSessionId(Service oService, Long oId) { > AxisEngine engine = oService.getEngine(); > engine.setOption(SimpleSessionHandler.SESSION_ID,oId); > } > > static public Long getSessionId(Service oService) { > > AxisEngine engine = oService.getEngine(); > return (Long)engine.getOption(SimpleSessionHandler.SESSION_ID); > } > > > > > /Chris > http://cvs.apache.org/~haddadc > Author of "Apache Axis: The Definitive Guide", to be published by > O'Reilly in 2004. > > > > -----Original Message----- > From: Magnus Sandberg [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 06, 2003 3:47 AM > To: [EMAIL PROTECTED] > Subject: Services sharing same session > > > Hi, > > I have several Services running in the same Webapp. Axis seems to > generate both server and client side OK - but I'd like to share the > Session between the different services. A simple maintainSession() on > the client and a getSession() on the server side doesn't seem to be good > enough. I have also tried a bit using the HTTPSession but I can't get > that to work either. > > So how do I do this? > > Thanks, > > /Magnus > > -- Andre Charbonneau 100 Sussex Drive, Rm 2025 Research Computing Support, IMSB National Research Council Canada Ottawa, ON, Canada K1A 0R6 613-993-3129 Fax: 613-993-3127
