Hi, Now this demo works from the 'ant' build as well. There was a problem with the ordering of the PolicyHandling Interceptor along the invocation chain. It quite strange how this varies depending on whether its executed within eclipse or outside. I have put in a fix that works both ways.
- Venkat On Dec 28, 2007 5:04 PM, Venkata Krishnan <[EMAIL PROTECTED]> wrote: > Hi, > > Continuing with the secure-bigbank demo, I have got the checkings account > webservice to pass the authenitcated principal to the java implementation > that inturn authorizes the principal. I have made changes to Message, > MessageImpl and the Axis2 binding for this (r607209). We can evolve or > change this as we mull over the goods and bads of this ;-). > > Heres the story I have assumed... > - the checkings department has decided to put in authorization where it > would only allow the owners to access their accounts. Accordingly it has > come up with a 'access control mechanism' for this authorization. > > - to plug in this authorization, the PolicyAdminstrator .... > - defines a policy handler from which authorization calls can me > made out to this 'access control mechanism' > - defines an intent and a matching policyset that would be able to > affect this particular mechanism for authorization i.e. call out this > defined handler. > > - the composite assembler marks the CheckingAccountService component's > implementation as 'requires=ck:authorization'. > > Issues / Points to ponder > ------------------------------------ > 1) Here we expect applications to be defining their own policyhandlers. > Since policy handlers are defined in a services configuration file, here the > checkings application contributes to one such file. Though I have been able > to run the sample in eclipse and mvn, the 'ant' driven one does not work. I > suspect this is due to some classloader issues related to the loading of the > services configuration file defined by the application > > 2) Since applications define their policy handlers, I've had to include > the 'core' as a dependency since these handlers have to work with the > 'Message' class. > > Thoughts / suggestions :) ? > > Thanks > > - Venkat > > > > On Dec 27, 2007 3:37 PM, Venkata Krishnan <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > Going further with the Bigbank scenario I have now split up the three > > different accounts - Savings, Stock and Checkings into individual > > composites. > > > > The checkingAccount service is exposed as a webservice and is enabled > > for authentication. Now I am trying to incorporate authorization into the > > checkingsAccount implementation i.e. allow access of account information > > only to its owners. > > > > The authentication of users happens at the wsBinding and the > > authenticated principal must now be used for authorization by the > > checkingsAccount java implementation. > > > > I spent a bit of time exploring how I could fit in a JAAS into this > > scenario and just could not figure out a neat fit. JAAS authorization seems > > to be good when we are treating things as just java resources. But over > > here it seems to me that we are doing things at the application layer. So > > for now I plan to resort to a more higher level authorization where I plan > > to maintain a access control list that will provide a list of which user > > owns which account. > > > > With this, I am figuring out how the authenticated principal could be > > passed over from the wsBinding to the javaImplementation. Obviously the > > Message object seems to be the only viable carrier and am trying somethings > > around that. Will post next on what actually works at the end of all this. > > Meanwhile, thoughts / suggestions ? > > > > Thanks > > > > - Venkat > > > >
