I like that solution, especially because of the ease of a
client supplying credentials (call.setUsername()). But is there an interoperable
solution that would work with .NET in a similar manner?
-Sharam
From: THOMAS, JAI [AG-Contractor/1000] [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 17, 2005 11:22 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Axis security, when web-app can't use Basic Web Authentication
There
are couple of approaches you can take, but here's what I would
do.
- Implement an Authentication handler and Authorization handler
extending BasicHandler
These handlers would directly invoke your
authentication/authorization methods and validate
credentials.
- Set
authenticated user context in servlet request/context if your business
components need it.
-
Defile these handlers in wsdd request flow inside your service
section.
e.g.
<requestFlow
name="UserAuth">
<handler type="java:my.own.AuthenticationHandler"/>
<handler type="java:my.own.AuthorizationHandler"/>
</requestFlow>
<handler type="java:my.own.AuthenticationHandler"/>
<handler type="java:my.own.AuthorizationHandler"/>
</requestFlow>
- Client should supply credentials in message header. In the case of Axis clients, it would be something like:
call.setUsername(uid);
call.setPassword(pswd);
Hope it
helps.
Jai
-----Original Message-----
From: sol myr [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 17, 2005 5:28 AM
To: [EMAIL PROTECTED]
Subject: Axis security, when web-app can't use Basic Web Authentication
From: sol myr [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 17, 2005 5:28 AM
To: [EMAIL PROTECTED]
Subject: Axis security, when web-app can't use Basic Web Authentication
Hi ,I'd greatly appreciate advice on the following.
In short: what do you do when a web-service requires clients to login (supplying user + password), *but* the server/web-app can't be configured to use basic web authentication ?We have an Axis web service, which requires login (namely, clients connecting to the web service must supply user + password ) .Now, normally this should be handled by the servlet-container (configure "web.xml" to use "Basic Web Authentication", and put Security Constraints on the web-service URL ).*Unfortunately*, we can't take this approach, since our web-application is already using *Form-Based* login (namely: the same web-application that contains our Axis servlet, also contains other modules - such as JSP pages - that rely on form-based login).Any recommendations for this situation ? We are considering solutions, such as:
1) A filter to intercept requests to the web-service, and check for user credentials.
2) Passing user + password on applicative level, as additional method parameters (we use HTTPS, so passwords can be transmitted safely).
Those this make sense ? Or is there some feature build into Axis that could help ?Thanks very much.
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
