Suzy Fynes wrote:
I suppose your axis WS is using org.apache.axis.security.simple.SimpleSecurityProvider as the security provider. That simple provider just look up users in a user.lst file. For a production enviroment of 100s of users I recommend you:
Is there a better way of authenticating a user to access an axis WS other than using the permission list? If there were 100s of users what needs to be done?
Thanks
Suzy
- to use org.apache.axis.security.servlet.ServletSecurityProvider if your servlet container has already the right mechanism to handle that amount of users; for example many servlet containers are able to talk to a LDAP server, a NT domain, a JDBC database, etc. This is the best approach if your J2EE application users are the same than your web services users.
- to create your own security provider, just implementing org.apache.axis.security.SecurityProvider (and also AuthenticatedUser), which for example query a LDAP server, a JDBC database or whatever you want.
It seemd <requestFlow/> is the tag to be used to add the authentication handler, for example:
...
<service name="WebserviceName1" provider="java:RPC">
<parameter name="className" value="HelloWebservice"/>
<parameter name="allowedMethods" value="getHello"/>
<parameter name="allowedRoles" value="user1"/>
<requestFlow name="authorizationFlow">
<handler
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<handler
type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
</requestFlow>
...
Hope that helped,
Adrian P.J.
