Are you using the username token profile ?
On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore <[email protected]> wrote: > I spent a bit more time looking at this - and added a bit more code. I > noticed that the Jaxb tree for openejb-jar.xml has some webservice security > attributes that we aren't using, but I think Geronimo is. I've added support > that does simple username/password authentication using basic http > mechanism, and an interceptor to do username/password auth using WS-Security > headers. > > I've uploaded a patch to > http://people.apache.org/~jgallimore/webservices.diff. I be grateful on > anyone's thoughts. Its pretty basic at the moment, but I think it would be > nice if this could go into OpenEJB - if others agree, I'd like to open a > JIRA and do some more work on it. > > I've copied this to the dev@ list too in case anyone who might be interested > missed it, hope that's ok. > > Cheers > > Jon > > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore < > [email protected]> wrote: > >> Hi Jean-Louis, >> >> Many thanks for your detailed reply and the link to the article. I'll be >> having a good look at this over the weekend. I had initially thought just >> applying basic auth was all there was to it, which is probably a bit naive >> of me! >> >> I think it would be worthwhile working out whether there's some samples >> (and maybe some enhancements) we could add to OpenEJB in this regard - I'm >> sure others would find it useful too. >> >> Cheers, >> Jon >> >> >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO < >> [email protected]> wrote: >> >>> >>> Jonathan, >>> >>> Here are some inputs. >>> >>> >>> Jonathan Gallimore-2 wrote: >>> > >>> > Obviously I think it would be great if the standalone and embedded >>> servers >>> > which use their own HTTP listener could accept credentials via basic >>> > authentication, meanwhile Tomcat could do the authentication for us >>> based >>> > on >>> > however its been configured (currently it looks like a new >>> StandardContext >>> > is created for each webservice, and there is code to setup >>> authentication, >>> > but WsService.authMethod was always null when I debugged it, causing no >>> > authentication to be applied, and I couldn't see how it could be set >>> > otherwise), and the user and role principals could be passed through >>> from >>> > Tomcat to the relevant EJB container. >>> > >>> Definitively! (nice to have ;-)). >>> Doing basic authentication (without ws-security) seems to be possible >>> using >>> JAX-WS handlers. >>> >>> >>> Jonathan Gallimore-2 wrote: >>> > >>> > To give a bit more background on how this has come about - my colleague >>> at >>> > work has been working on some functionality as an EJB, and felt it would >>> > be >>> > nice to have it available as a webservice - and adding the @WebService >>> > annotation to the EJB seemed to be a nice idea, rather then creating a >>> > webservice as a separate class that just delegates through to the EJB as >>> > you >>> > describe - >>> > >>> I was probably not so clear. >>> It seems to me, from an architecture point of view, it's better to use web >>> services as facades. They are personal concerns you know ;-) >>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice) >>> which delegates to other business EJB and it works fine with OpenEJB for >>> simple cases. >>> >>> >>> Jonathan Gallimore-2 wrote: >>> > >>> > and we hoped the container would handle the authentication for >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this >>> for >>> > us, >>> > however OpenEJB doesn't at the moment - I don't actually know if this is >>> > even supposed to work (or even whether its part of any of the JEE spec - >>> > I'll have to read up!). >>> > >>> I can't help you on this topic (not read this part of the spec). >>> If you have 10 minutes, here is an interesting article >>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >>> >>> >>> Jonathan Gallimore-2 wrote: >>> > >>> > I think I should probably have a look at WS-Security - I'd be very >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if >>> you're >>> > putting one together. >>> > >>> >>> OK, I've done some tests since yesterday morning. But, the way OpenEJB >>> publishes EJB as web services does not allow configuring ws-security. >>> >>> When using CXF + WS-Security, it's quite simple: add a WSS4J InInterceptor >>> and a WSS4J OutInterceptor giving them a set of properties. Interceptors >>> can >>> be configured using both a Spring application context or CXF annotations >>> (@InInterceptors @OutInterceptor). >>> >>> At a JAX-WS point of view we only have handlers (soap handlers and logical >>> handlers) so I have to spend some more time to look if we can manage >>> WS-Security using handlers. >>> >>> More coming soon ;-) >>> >>> Kind regards, >>> Jean-Louis >>> >>> >>> >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html >>> Sent from the OpenEJB User mailing list archive at Nabble.com. >>> >>> >> >
