I spent a bit more time looking at this - and added a bit more code. I noticed that the Jaxb tree for openejb-jar.xml has some webservice security attributes that we aren't using, but I think Geronimo is. I've added support that does simple username/password authentication using basic http mechanism, and an interceptor to do username/password auth using WS-Security headers.
I've uploaded a patch to http://people.apache.org/~jgallimore/webservices.diff. I be grateful on anyone's thoughts. Its pretty basic at the moment, but I think it would be nice if this could go into OpenEJB - if others agree, I'd like to open a JIRA and do some more work on it. I've copied this to the dev@ list too in case anyone who might be interested missed it, hope that's ok. Cheers Jon On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore < [email protected]> wrote: > Hi Jean-Louis, > > Many thanks for your detailed reply and the link to the article. I'll be > having a good look at this over the weekend. I had initially thought just > applying basic auth was all there was to it, which is probably a bit naive > of me! > > I think it would be worthwhile working out whether there's some samples > (and maybe some enhancements) we could add to OpenEJB in this regard - I'm > sure others would find it useful too. > > Cheers, > Jon > > > On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO < > [email protected]> wrote: > >> >> Jonathan, >> >> Here are some inputs. >> >> >> Jonathan Gallimore-2 wrote: >> > >> > Obviously I think it would be great if the standalone and embedded >> servers >> > which use their own HTTP listener could accept credentials via basic >> > authentication, meanwhile Tomcat could do the authentication for us >> based >> > on >> > however its been configured (currently it looks like a new >> StandardContext >> > is created for each webservice, and there is code to setup >> authentication, >> > but WsService.authMethod was always null when I debugged it, causing no >> > authentication to be applied, and I couldn't see how it could be set >> > otherwise), and the user and role principals could be passed through >> from >> > Tomcat to the relevant EJB container. >> > >> Definitively! (nice to have ;-)). >> Doing basic authentication (without ws-security) seems to be possible >> using >> JAX-WS handlers. >> >> >> Jonathan Gallimore-2 wrote: >> > >> > To give a bit more background on how this has come about - my colleague >> at >> > work has been working on some functionality as an EJB, and felt it would >> > be >> > nice to have it available as a webservice - and adding the @WebService >> > annotation to the EJB seemed to be a nice idea, rather then creating a >> > webservice as a separate class that just delegates through to the EJB as >> > you >> > describe - >> > >> I was probably not so clear. >> It seems to me, from an architecture point of view, it's better to use web >> services as facades. They are personal concerns you know ;-) >> Never mind, I had in mind an EJB Web Service (@stateless + @webservice) >> which delegates to other business EJB and it works fine with OpenEJB for >> simple cases. >> >> >> Jonathan Gallimore-2 wrote: >> > >> > and we hoped the container would handle the authentication for >> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this >> for >> > us, >> > however OpenEJB doesn't at the moment - I don't actually know if this is >> > even supposed to work (or even whether its part of any of the JEE spec - >> > I'll have to read up!). >> > >> I can't help you on this topic (not read this part of the spec). >> If you have 10 minutes, here is an interesting article >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >> >> >> Jonathan Gallimore-2 wrote: >> > >> > I think I should probably have a look at WS-Security - I'd be very >> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if >> you're >> > putting one together. >> > >> >> OK, I've done some tests since yesterday morning. But, the way OpenEJB >> publishes EJB as web services does not allow configuring ws-security. >> >> When using CXF + WS-Security, it's quite simple: add a WSS4J InInterceptor >> and a WSS4J OutInterceptor giving them a set of properties. Interceptors >> can >> be configured using both a Spring application context or CXF annotations >> (@InInterceptors @OutInterceptor). >> >> At a JAX-WS point of view we only have handlers (soap handlers and logical >> handlers) so I have to spend some more time to look if we can manage >> WS-Security using handlers. >> >> More coming soon ;-) >> >> Kind regards, >> Jean-Louis >> >> >> >> >> -- >> View this message in context: >> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html >> Sent from the OpenEJB User mailing list archive at Nabble.com. >> >> >
