Well, I still don't know what this allowedRoles controls ...
Anyway, I got a simple service with basic auth running in Axis, Hurray!
For that, following some documentation I created a .war with axis.jar
and all in it to have my own web app. Works fine. :-)
Now I do call in the service implementation
servletEndpointContext.isUserInRole("my_role") and get false returned.
Hmmm, could it be that in Axis/Tomcat the concept of these "logical"
roles isn't implemented and we have "only" users and groups?
My web.xml contains link to my_role:
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/services</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>my_role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>my_role</role-name>
</security-role>
When I deploy to Sun App server, I have in sun-web.xml
<security-role-mapping>
<role-name>my_role</role-name>
<group-name>my_group1</group-name>
</security-role-mapping>
to map the logical role (my_role) to a group (my_group1). Then,
isUserInRole("my_role") returns true. In the App Server's admin, I do
setup groups, not roles. In conf/tomcat-users.xml, probably the roles
mean groups. I tried to put there a <group> Element, seems to work. But
how (where?) to map the group to a role, as I can do in sun-web.xml?
Could you help me here, how to manage this logical role stuff in
Axis/Tomcat?
Thank you!
Merten
> -----Original Message-----
> From: Merten Schumann [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 06, 2004 6:52 PM
> To: [EMAIL PROTECTED]
> Subject: parameter "alllowedRoles" in deploy.wsdd has no
> effect, service can be used without authentication?!?
>
> I want my service to require user authentication by using this
> deploy.wsdd
>
> <deployment xmlns="http://xml.apache.org/axis/wsdd/";
> xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";>
>
> <service name="HelloService" provider="java:RPC">
> <parameter name="className" value="my.stuff.HelloServiceServlet"/>
> <parameter name="allowedMethods" value="*"/>
> <parameter name="allowedRoles" value="role1"/>
> </service>
>
> <requestFlow name="checks">
> <handler
> type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
> <handler
> type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
> </requestFlow>
>
> </deployment>
>
> I expected my (JAXRPC, dynamic proxy) web service client to fail when
> invoking a service method - with something like "authentication
> required". But the client still works fine, the web service
> method gets
> called and returns it's result. Hmm, is there anything more
> to setup to
> get authentication to be used/required? I could use the
> <security-constraint> stuff in web.xml, but for what is this
> "allowedRoles" parameter then? (I'm using Axis 1.2RC1)
>
> BTW: I got the impression that in Axis you can set with allowedRoles
> users, not roles. Is this true?
>
> Thank you!
> Merten
>
