Christoph,
I'm forwarding you to Jetty-Discuss, where the serious Jetty experts lurk.
I will try to put some time aside for this over the next couple of days, meanwhile they may be able to help you.
Sorry I can't jump on this right now, but I'm very busy,
Jules
"Jung , Dr. Christoph" <[EMAIL PROTECTED]> wrote:
Hello (Jules!),
For the jboss.net SOAP-integration project, I just figured out the principle how to combine Jetty&Axis security at least in the basic authentication case (the others will then follow quite easily, I think).
In general, axis is deployed as a web-application into the web-container, in our case we use Jetty3.1.5. For what I now try to reach, I desperately need your help.
As a default, I want to "secure" all exposed (EJB-based) web-services under the context /axis/services (and hence hitting the main AxisServlet) such that they are potentially open to everyone, even to those without authentication (in which case they will have a null security association). If the incoming XML/HTTP-calls use authentication, however, they should be logged in with their corresponding principal in a pre-configurable security domain/realm such that subsequently deserialized EJB calls will occur in the right security context.
My axis-web.xml currently contains:
<!-- we add a security constraint -->
<security-constraint>
<!-- for every exposed service -->
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<description>Authenticate every call</description>
<url-pattern>/services/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<!-- we let through every user, authenticated or not. this is to
refine by specific service descriptors --><auth-constraint>
<role-name>NONE</role-name>
</auth-constraint><!-- no user data constraint here, this should be done for the individual services -->
</security-constraint><!-- we do BASIC authentication for now -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Axis basic authentication</realm-name>
</login-config>the corresponding jboss-web.xml looks like this:
<jboss-web><security-domain>java:/jaas/other</security-domain></jboss-web>
Unfortunately, the Jetty3.1.5 Security Handler (line 291) either does check authentication or
it ommits authentication completely ... So in above case, all users, even those that come with
authentication data will not be logged in.// Does it fail a role check?
if (sc.isAuthenticated() &&
!sc.hasRole(SecurityConstraint.NONE) &&
!authenticatedInRole(pathInContext,pathParams,request,response,sc.roles()))
// return as an auth challenge will have been set
return;
Experimenting with an unauthenticatedPrincipal "nobody" in the loginmodule instead of a NONE-role also did not work, because Jetty then refusesany not-authenticated call having no credential information in the request (SecurityHandler.java):
private boolean basicAuthenticated(HttpRequest request,
HttpResponse response)
throws IOException
{
String credentials =
request.getField(HttpFields.__Authorization);
if (credentials!=null )
{
...
}
Code.debug("Unauthorized in "+_realmName);
response.setField(HttpFields.__WwwAuthenticate,
"basic realm=\""+_realmName+'"');
response.sendError(HttpResponse.__401_Unauthorized);
return false;
}
Is there another way to do it? Is my goal against the spec at all? Does Jetty 4 do it exactly like this? Or do you think there is a small potential topersuade Jetty to insert a reasonable null-credential against login-module case?
Thanks much,
CGJ ("Dr. Schorsch")
Currently spinninī all-time soul classic: Omar, "Who chooses the seasons"
Do You Yahoo!?
Get personalised at My Yahoo!.
