Sharam,
This
approach is interoperable since you are effectively setting these data in
message header. For e.g. .NET client use methods provided by .NET to
do the same.
Jai
-----Original Message-----
From: Sharam Fouladgar-Mercer [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 17, 2005 10:48 AM
To: [EMAIL PROTECTED]
Subject: RE: Axis security, when web-app can't use Basic Web AuthenticationI like that solution, especially because of the ease of a client supplying credentials (call.setUsername()). But is there an interoperable solution that would work with .NET in a similar manner?-Sharam
From: THOMAS, JAI [AG-Contractor/1000] [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 17, 2005 11:22 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Axis security, when web-app can't use Basic Web AuthenticationThere are couple of approaches you can take, but here's what I would do.- Implement an Authentication handler and Authorization handler extending BasicHandlerThese handlers would directly invoke your authentication/authorization methods and validate credentials.- Set authenticated user context in servlet request/context if your business components need it.- Defile these handlers in wsdd request flow inside your service section.e.g.<requestFlow name="UserAuth">
<handler type="java:my.own.AuthenticationHandler"/>
<handler type="java:my.own.AuthorizationHandler"/>
</requestFlow>- Client should supply credentials in message header. In the case of Axis clients, it would be something like:
call.setUsername(uid);
call.setPassword(pswd);
Hope it helps.
Jai
-----Original Message-----
From: sol myr [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 17, 2005 5:28 AM
To: [EMAIL PROTECTED]
Subject: Axis security, when web-app can't use Basic Web AuthenticationHi ,I'd greatly appreciate advice on the following.
In short: what do you do when a web-service requires clients to login (supplying user + password), *but* the server/web-app can't be configured to use basic web authentication ?We have an Axis web service, which requires login (namely, clients connecting to the web service must supply user + password ) .Now, normally this should be handled by the servlet-container (configure "web.xml" to use "Basic Web Authentication", and put Security Constraints on the web-service URL ).*Unfortunately*, we can't take this approach, since our web-application is already using *Form-Based* login (namely: the same web-application that contains our Axis servlet, also contains other modules - such as JSP pages - that rely on form-based login).Any recommendations for this situation ? We are considering solutions, such as:
1) A filter to intercept requests to the web-service, and check for user credentials.
2) Passing user + password on applicative level, as additional method parameters (we use HTTPS, so passwords can be transmitted safely).
Those this make sense ? Or is there some feature build into Axis that could help ?Thanks very much.
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!