Date: 2004-12-03T08:36:59 Editor: FumitadaHattori <[EMAIL PROTECTED]> Wiki: Apache Beehive Wiki Page: WsmSecurityModel URL: http://wiki.apache.org/beehive/WsmSecurityModel
updated. Change Log: ------------------------------------------------------------------------------ @@ -1,7 +1,7 @@ In WSM, there're currently three kinds of security models. They're "Servlet container security model", "Axis security model" and "Beehive security model". -This page describes thier usages, advantages and disadvantages. +This page describes their usages, advantages and disadvantages. We will use Atm.jws ( Automatic Teller Machine ) below to explain each security model. @@ -48,8 +48,11 @@ --------------------------------------------------------- - admin role can access all methods. + - customer role can access the withdraw, getBalance and showStatus methods. + - engineer role can access the fix and showStatus method. + - No restrictions to access the showStatus method. ( Everybody can access the method. ) @@ -93,8 +96,8 @@ The disadvantage of this model is that one must have any one of roles listed in auth-constraint element, even when accessing a non-restricted method. For example, the showStatus() method of Atm.jws is not restricted because of absence of @SecurityRoles -annotation, but one must have the admin, customer or engineer role to access the method. -This is because the servlet container denies the user to access the Atm.jws without roles before the user reaches the +annotation, but one must have at least one of admin, customer or engineer role to access the method. +This happens because the servlet container denies the user to access the Atm.jws without roles before the user reaches the web service. @@ -113,28 +116,37 @@ == Beehive security model == This model is ported from Tomcat memory realm (using tomcat-users.xml file). -To use this model, you must create a file named beehive-users.xml and place it in +To use this model, you must create a file named beehive-role.xml and place it in WEB-INF directory of your web service application. -NOTE: The format of beehive-users.xml is almost same as tomcat's tomcat-users.xml file. -The only difference is that the name of the root element of beehive-users.xml must be "beehive-users". -For detail of the file format, please refer to "User File Format" section of http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#MemoryRealm - -Here is the example beehive-users.xml +Here is the example beehive-role.xml. {{{ -<beehive-users> - <role rolename="admin"/> - <role rolename="customer"/> - <role rolename="engineer"/> - <user name="michael" password="michael_pass" roles="admin" /> - <user name="jonathan" password="jonathan_pass" roles="engineer,customer" /> - <user name="dims" password="dims_pass" roles="engineer" /> - <user name="wolfgang" password="wolfgang_pass" roles="customer" /> -</beehive-users> +<beehive-role xmlns="http://www.apache.org/beehive/wsm/axis/security/xmlbeans";> + <role name="admin"> + <user>michael</user> + </role> + <role name="engineer"> + <user>jonathan</user> + <user>dims</user> + </role> + <role name="customer"> + <user>jonathan</user> + <user>wolfgang</user> + </role> + <user name="michael" password="1f2dfa567dcf95833eddf7aec167fec7" md5="true" /> + <user name="jonathan" password="jp" /> + <user name="dims" password="dp" /> + <user name="wolfgang" password="wp" /> +</beehive-role> }}} -The disadvantage of this model is that it uses a plain text for password. -( We will add more features such as MD5 digest of password, username/password/role in DB later ) +You can use a md5 digest(32bytes HEX) for your password instead a plain text with a md5 attribute set "true" in a user tag. Absence of the md5 attribute in a user tag is equivalent to md5="false" then your password should be in a plain text. + +To get a md5 digest of your password, there's a md5sum command in linux box. +e.x) % md5sum --string="your password" + + +NOTE: The default namespace ( xmlns="http://www.apache.org/beehive/wsm/axis/security/xmlbeans"; ) must be specified in the root beehive-role tag. = To set up server-config.wsdd =
