Date: 2004-11-01T12:49:04
Editor: FumitadaHattori <[EMAIL PROTECTED]>
Wiki: Apache Beehive Wiki
Page: WsmSecurityModel
URL: http://wiki.apache.org/beehive/WsmSecurityModel
no comment
New Page:
In WSM, there're currently three kinds of security models.
They're "Servlet container security model", "Axis security model" and "Beehive
security model".
This page describes thier usages, advantages and disadvantages.
We will use Atm.jws ( Automatic Teller Machine ) below to explain each security
model.
{{{
// Atm.jws
import javax.jws.Oneway;
import javax.jws.WebMethod;
import javax.jws.WebService;
@WebService
public class Atm {
@WebMethod
@SecurityRoles(rolesAllowed={"admin","customer"})
public int withdraw(int amount)
{
return amount;
}
@WebMethod
@SecurityRoles(rolesAllowed={"admin","customer"})
public int getBalance()
{
return 1000;
}
@WebMethod
@Oneway
@SecurityRoles(rolesAllowed={"admin","engineer"})
public void fix()
{
return;
}
@WebMethod
@Oneway
public void showStatus()
{
return;
}
}
}}}
---------------------------------------------------------
- admin role can access all methods.
- customer role can access the withdraw, getBalance and showStatus methods.
- engineer role can access the fix and showStatus method.
- No restrictions to access the showStatus method. ( Everybody can access the
method. )
To enable any of security models for WSM on Axis, you have to set up two stuff
which are
role information and server-config.wsdd
= To set up role information. =
== Servlet container security model ==
With this model, you can reuse the existing roles of your servlet container.
Assume your web.xml has the following security-role elements.
{{{
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>customer</role-name>
</security-role>
<security-role>
<role-name>engineer</role-name>
</security-role>
}}}
To apply those roles for Atm.jws, you add the following elements in web.xml.
{{{
<security-constraint>
<web-resource-collection>
<url-pattern>/Atm.jws</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>customer</role-name>
<role-name>engineer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
}}}
The disadvantage of this model is that one must have any one of roles listed in
auth-constraint element,
even when accessing a non-restricted method.
For example, the showStatus() method of Atm.jws is not restricted because of
absence of @SecurityRoles
annotation, but one must have the admin, customer or engineer role to access
the method.
This is because the servlet container denies the user to access the Atm.jws
without roles before the user reaches the
web service.
== Axis security model ==
You can reuse usernames of Axis's users.lst using this model.
NOTE: usernames in users.lst are treated as role names of the @SecurityRoles
annotation.
Here is the example of users.lst
{{{
admin admin_pass
customer customer_pass
engineer engineer_pass
}}}
The disadvantage of this model is that this security model is a user-based
authentication and
uses a plain text for password.
== Beehive security model ==
This model is ported from Tomcat memory realm (using tomcat-users.xml file).
To use this model, you must create a file named beehive-users.xml and place it
in
WEB-INF directory of your web service application.
NOTE: The format of beehive-users.xml is almost same as tomcat's
tomcat-users.xml file.
The only difference is that the name of the root element of beehive-users.xml
must be "beehive-users".
For detail of the file format, please refer to "User File Format" section of
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#MemoryRealm
Here is the example beehive-users.xml
{{{
<beehive-users>
<role rolename="admin"/>
<role rolename="customer"/>
<role rolename="engineer"/>
<user name="michael" password="michael_pass" roles="admin" />
<user name="jonathan" password="jonathan_pass" roles="engineer,customer" />
<user name="dims" password="dims_pass" roles="engineer" />
<user name="wolfgang" password="wolfgang_pass" roles="customer" />
</beehive-users>
}}}
The disadvantage of this model is that it uses a plain text for password.
( We will add more features such as MD5 digest of password,
username/password/role in DB later )
= To set up server-config.wsdd =
Here is the example server-config.wsdd for servlet container security model.
{{{
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/";
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";>
<globalConfiguration>
<parameter name="adminPassword" value="admin"/>
<parameter name="disablePrettyXML" value="true"/>
<parameter name="attachments.implementation"
value="org.apache.axis.attachments.AttachmentsImpl"/>
<parameter name="sendXsiTypes" value="true"/>
<!--<parameter name="sendMultiRefs" value="true"/>-->
<parameter name="sendXMLDeclaration" value="true"/>
<requestFlow>
<handler
type="java:org.apache.beehive.wsm.axis.AnnotatedWebServiceDeploymentHandler">
<parameter name="scope" value="session"/>
</handler>
<handler
type="java:org.apache.beehive.wsm.axis.DropInDeploymentHandler">
<parameter name="scope" value="session"/>
</handler>
<handler
type="java:org.apache.beehive.wsm.axis.handlers.WsmAuthenticationHandler">
<parameter name="securityModel"
value="org.apache.beehive.wsm.axis.security.model.ServletSecurityModel"/>
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session"/>
</handler>
<!--<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request"/>
<parameter name="extension" value=".jwr"/>
</handler>-->
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder"
type="java:org.apache.axis.transport.local.LocalResponder"/>
<handler name="URLMapper"
type="java:org.apache.axis.handlers.http.URLMapper"/>
<handler name="Authenticate"
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<service name="AdminService" provider="java:MSG">
<parameter name="allowedMethods" value="AdminService"/>
<parameter name="enableRemoteAdmin" value="false"/>
<parameter name="className" value="org.apache.axis.utils.Admin"/>
<namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>
<service name="Version" provider="java:RPC">
<parameter name="allowedMethods" value="getVersion"/>
<parameter name="className" value="org.apache.axis.Version"/>
</service>
<transport name="http">
<requestFlow>
<handler type="URLMapper"/>
<handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
</requestFlow>
<parameter name="qs:list"
value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs:wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler"/>
<parameter name="qs:method"
value="org.apache.axis.transport.http.QSMethodHandler"/>
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder"/>
</responseFlow>
</transport>
</deployment>
}}}
You can find the handler element below in server-config.wsdd above.
This is for servlet security model.
{{{
<handler
type="java:org.apache.beehive.wsm.axis.handlers.WsmAuthenticationHandler">
<parameter name="securityModel"
value="org.apache.beehive.wsm.axis.security.model.ServletSecurityModel"/>
</handler>
}}}
To use Axis security model, please replace the handler above with lines below.
{{{
<handler
type="java:org.apache.beehive.wsm.axis.handlers.WsmAuthenticationHandler">
<parameter name="securityModel"
value="org.apache.beehive.wsm.axis.security.model.AxisSecurityModel"/>
</handler>
}}}
This is for Beehive security model. To use this model, please replace the
handler above with lines below.
{{{
<handler
type="java:org.apache.beehive.wsm.axis.handlers.WsmAuthenticationHandler">
<parameter name="securityModel"
value="org.apache.beehive.wsm.axis.security.model.BeehiveMemorySecurityModel"/>
</handler>
}}}
TBD
