[xfire-user] securing web service access with HTTP or SOAP headers (no ws-security or saml)

[Matthew Kerle]

Hi all I'm developing a web-service for a client with xFire 1.2.6 on tomcat 5.5.23 and Java 1.6.0_01, the functionality now is fine and all works great. In true fashion our project plan was to bolt security on last after we'd developed everything else... :-) The app is internal so we don't want to use ws-security or anything complex like that, we want to use either HTTP headers or SOAP headers (or even just a method param if ), whichever is easier to implement. We'll be authenticating against the tomcat-users.xml file, so we'll need access to the ServletContext somehow. Only problem is I have no idea how to do this! I've looked at the examples and they either use Handlers or ws-security, neither of which I want to use (although I probably missed something...). At the moment my serviceImpl class doesn't know about xFire at all (just JSR181 annotations), but according to this page it looks like I can add an @WebParam parameter to the impl class that xFire will automagically populate from the SOAP header. this looks good, but we would prefer a solution that doesn't require changing the WSDL definition to include auth params, would adding this param change the WSDL? The service will have default clients connecting with no details, and privileged clients connecting with user+passwd, I'd prefer to use some either HTTP or SOAP header for this so that the functional interface (wsdl) doesn't include any security tokens. anyone can just connect to get the public data, but to get sensitive stuff they need to authenticate. Does anyone have any recommendations on HTTP headers vs SOAP headers? (also some sample code of getting these attrs in the ServiceImpl class would be good!) this page seems to suggest that the best way to get at the HttpServletRequest object is to call the static method: "... = XFireServletController.getRequest();" but is this thread-safe? does xFire bind the request to a particular thread? eg - if 15 requests come in with different auth details, am I guaranteed to get the correct request object every time? here's a sample of my service.xml:     <!--JSR181 Annotations config -->     <service>         <serviceClass>(edit).service.webservice.ImageService</serviceClass>         <implementationClass>(edit).service.webservice.ImageServiceImpl</implementationClass>         <serviceFactory>#jsr181ServiceFactory</serviceFactory>     </service> sample of my interface: //package & imports @WebService public interface ImageService {     //various methods     @WebMethod     public ISearchResult[] doSearch( ISearchQuery queryObject)throws Exception; } sample of the service impl: //package & imports @SuppressWarnings({"ValidExternallyBoundObject"}) @WebService(endpointInterface = "au.gov.environment.imgws.service.service.ImageService") public class ImageServiceImpl extends AbstractImageSearch implements ImageService {     private ImageSearchDelegate imageSearchDelegate = null;     //various methods and instance vars     @WebMethod     public ISearchResult[] doSearch(ISearchQuery queryObject) throws Exception{         if(imageSearchDelegate==null)             imageSearchDelegate = new ImageSearchDelegate();         Collection<ImageSearchResult> list =                 ((CollectionVo)imageSearchDelegate.execute(queryObject)).getCollection();         if(list==null)return new ImageSearchResult[0];         return (ImageSearchResult[]) list.toArray(new ImageSearchResult[0]);     }        //more methods }   thanks you all, cheers! ps - Dan, if you're listening, you rock! -- Matthew Kerle IT Consultant SRA Information Technology Canberra Ground Floor, 40 Brisbane Avenue BARTON  ACT  2600 Office:    +61 2 6273 6122 Fax:         +61 2 6273 6155 Mobile:  +61404 096 863 Email:    Matthew Kerle Web:     Matthew Kerle --------------------------------------------------------------------- To unsubscribe from this list please visit: http://xircles.codehaus.org/manage_email