Hi,
I’m about to build a web app and corresponding web
service to expose some search functionality. The app is to be built in JBoss/Tomcat.
I’ve not yet decided whether the service itself will be a Session EJB or
a simple POJO class, but I think my questions apply to either case. (I’m
actually erring on the side of POJOs for simplicity, and I can’t see a
strong argument for EJBs given the relatively simple and atomic searches that
the WS will carry out).
I’ve built a test service that is a simple POJO, and
generated the relevant WS interfaces for this using Axis. I’ve then
secured this using the PasswordDigest method in WSS4J. I’ve implemented
the code in the service to interrogate the MessageContext and determine the Username/Principal
of the user who was authenticated within the PWCallback handler.
I’m now stuck on the following:
·
In order
for the PWCallback handler to authenticate the client submitting the WS request,
it appears that you must have access to the *plain
text* password of the user on the server. In my case, I want to hold
the hashed user passwords in a database, so ideally I want the PWCallback to *provide* me with the clear text password,
as submitted by the client, so I can hash it and check it against my DB. This
seems to be impossible. The only solution I can think of is that we give out
the hashed version of the passwords to the clients and tell them to submit that
as their password in each request – so that I can fetch the same string
from the DB and set it via the setPassword() method in the PWCallback
handler. This seems wrong – am I missing something?
·
Is there
any way to integrate with a JBoss realm, such that authentication is
automatically handled in the same way as web page logins, and some kind of
context is set-up that I can then determine the Principal from? Is this
only possible if the service is implemented as an EJB – so the request
context is available within the service method?
·
As most
of our WS requests will come from a small number of clients, It would be good
if we could maintain some kind of session – if only for the SSL
connection, but ideally for the user session. I know this isn’t really
WSS4J related, but any thoughts would be hugely appreciated!
Many thanks in advance for any advice,
Steve
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender.
This footnote also confirms that this email message has been swept by
Ironmail for the presence of computer viruses.
www.ciphertrust.com
