Hi Michael, Dims I've been wondering why Axis can plug into "container security configuration" with only modifying Axis's property files after I got the mail from Dims. I investigated and finally got the answer...
To enable the role-based security model of servlet container in Axis, you have to add security-constaint, login-config and security-role elements in web.xml like below. <security-constraint> <web-resource-collection> <url-pattern>/services/MyWebService</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>teacher</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>tomcat</role-name> </security-role> It means if one wants to access any methods of /services/MyWebService, the one has to pass BASIC auth so that we cannot control one method requires a role, on the other hand, another method doesn't require a role (everybody can access without a role). Thus, it violates the intention of JSR-181's @SecurityRoles annotation. In JSR-181, if a class or method is not annotated with @SecurityRoles.rolesAllowed annotation, the class or method can be accessed by anybody (no matter he/she has a role). Actually, there's one more disadvantage of this. To publish a web service which requires the servlet security model with Axis, the web service must be a class file. It means we cannot just drop a jws file. I guess the better way is that we make our own security model and the best way is that we provide as many security models as we can and let developers choose. What do you think ? wolfgang.
