On Jan 7, 2009, at 5:03 AM, Jochen Zink wrote:
Hello,
I want to use geronimos securitysystem together with a JAX-WS 2.1
WebService (WAR-File).
My vision ;):
- standard security configuration: all URLs like /services/* are
secure
- Using a standard LoginModule (A Geronimo one or a self written for
BinarySecurityTokens)
Is it possible to secure a WebService with the standard
Securitymechanism or must the application handle the ws-security
header? If the application has to handle it, is it possible to get
access to a LoginModule and how does this work?
Can i check that you want to send the credentials inside the xml
message? At the moment we don't have any support for that. In the
future it may be possible to handle this with a JASPI authentication
module.
You can get the credentials yourself and log in to a JAAS realm using
org.apache.geronimo.security.ContextManager.login(realmName,
callbackHandler) where realmName is the name of a security realm
you've set up in geronimo and callbackHandler is a callback handler
you've stuffed the credentials into. This will log in and install the
user in the geronimo security framework. However if your code to do
this is in the application (such as a filter or servlet) you can't use
javaee web security constraints because they will have already been
evaluated by the time control gets to your auth code. You ought to be
able to use javaee ejb security with the logged in Subject although I
haven't tested this for problems I haven't thought of.
hope this helps. please supply more details if appropriate. I'm
running into several similar situations recently and more info on what
people would like to be able to do would be great to figure out how to
support this.
thanks
david jencks
Thanks a lot!
Regards
Jochen
__________________________________________________________________
Deutschlands größte Online-Videothek schenkt Ihnen 12.000 Videos!*
http://entertainment.web.de/de/entertainment/maxdome/index.html
