axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Doug Davis" <...@us.ibm.com>
Subject RE: cvs commit: xml-axis/java/src/org/apache/axis/security Authen ticatedUser.java SecurityProvider.java
Date Tue, 31 Jul 2001 15:52:45 GMT
Definitely - service level (or even finer - method level) would be the
way to go.  Are there any Web security experts among us?
-Dug


Glen Daniels <gdaniels@macromedia.com> on 07/31/2001 11:14:41 AM

Please respond to axis-dev@xml.apache.org

To:   "'axis-dev@xml.apache.org'" <axis-dev@xml.apache.org>
cc:
Subject:  RE: cvs commit: xml-axis/java/src/org/apache/axis/security Authen
      ticatedUser.java SecurityProvider.java




+1

I just checked these in as a strawman.  I wasn't planning to implement
anything based on these until a) post-alpha, and b) some discussion had
occurred.

I agree that integrating with built-in security is the way to go where
possible.  There are some interesting questions about how security domains
are mapped to resources, i.e. whether we want to lock security to the
servlet level, say, and then have one servlet per service....  I think we
probably want some kind of generic system to handle per-web-service (or
even
per-method) security even when the transport (i.e. SMTP) and the backend
(simple java class) don't support it.

I'll pull these interfaces until further discussion ensues.  Let's focus on
getting the alpha out.

--G

> -----Original Message-----
> From: Doug Davis [mailto:dug@us.ibm.com]
> Sent: Tuesday, July 31, 2001 10:35 AM
> To: axis-dev@xml.apache.org
> Subject: Re: cvs commit: xml-axis/java/src/org/apache/axis/security
> AuthenticatedUser.java SecurityProvider.java
>
>
> I think this might warrant some kind of design discussion
> (on the mailing list) before we go too far.  When people think
> about Web resources (servlets, JSPs...) each one does not
> define it's own way of doing security/authentication.  They tend
> to use the built-in functions of the Application Server they
> are running in (either directly or implicitly thru configuration).
> Perhaps it would make more sense to look at Web services in the
> same way and see if we could leverage the same mechanisms that
> are already used/tested/proven.  Maybe a more knowledgeable J2EE
> person could give some input on this?
> -Dug
>
>
> gdaniels@apache.org on 07/31/2001 08:39:06 AM
>
> Please respond to axis-dev@xml.apache.org
>
> To:   xml-axis-cvs@apache.org
> cc:
> Subject:  cvs commit: xml-axis/java/src/org/apache/axis/security
>       AuthenticatedUser.java SecurityProvider.java
>
>
>
> gdaniels    01/07/31 05:39:06
>
>   Added:       java/src/org/apache/axis/security
> AuthenticatedUser.java
>                         SecurityProvider.java
>   Log:
>   Check in first versions of security interfaces - no
> implementations yet.
>
>   Revision  Changes    Path
>   1.1
> xml-axis/java/src/org/apache/axis/security/AuthenticatedUser.java
>
>   Index: AuthenticatedUser.java
>   ===================================================================
>   /*
>    * The Apache Software License, Version 1.1
>    *
>    *
>    * Copyright (c) 2001 The Apache Software Foundation.  All rights
>    * reserved.
>    *
>    * Redistribution and use in source and binary forms, with
> or without
>    * modification, are permitted provided that the following
> conditions
>    * are met:
>    *
>    * 1. Redistributions of source code must retain the above copyright
>    *    notice, this list of conditions and the following disclaimer.
>    *
>    * 2. Redistributions in binary form must reproduce the
> above copyright
>    *    notice, this list of conditions and the following
> disclaimer in
>    *    the documentation and/or other materials provided with the
>    *    distribution.
>    *
>    * 3. The end-user documentation included with the redistribution,
>    *    if any, must include the following acknowledgment:
>    *       "This product includes software developed by the
>    *    Apache Software Foundation (http://www.apache.org/)."
>    *    Alternately, this acknowledgment may appear in the
> software itself,
>    *    if and wherever such third-party acknowledgments
> normally appear.
>    *
>    * 4. The names "Axis" and "Apache Software Foundation" must
>    *    not be used to endorse or promote products derived from this
>    *    software without prior written permission. For written
>    *    permission, please contact apache@apache.org.
>    *
>    * 5. Products derived from this software may not be called
> "Apache",
>    *    nor may "Apache" appear in their name, without prior written
>    *    permission of the Apache Software Foundation.
>    *
>    * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
>    * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>    * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
>    * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
>    * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>    * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>    * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
>    * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
> CAUSED AND
>    * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> LIABILITY,
>    * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
> ANY WAY OUT
>    * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> POSSIBILITY OF
>    * SUCH DAMAGE.
>    *
> ====================================================================
>    *
>    * This software consists of voluntary contributions made by many
>    * individuals on behalf of the Apache Software Foundation.
>  For more
>    * information on the Apache Software Foundation, please see
>    * <http://www.apache.org/>.
>    */
>
>   package org.apache.axis.security;
>
>   /** A small (mostly marker) interface for wrapping provider-specific
>    * user classes.
>    *
>    * @author Glen Daniels (gdaniels@macromedia.com)
>    */
>   public interface AuthenticatedUser
>   {
>       /** Return a string representation of the user's name.
>        *
>        * @return the user's name as a String.
>        */
>       public String getName();
>   }
>
>
>
>   1.1
> xml-axis/java/src/org/apache/axis/security/SecurityProvider.java
>
>   Index: SecurityProvider.java
>   ===================================================================
>   /*
>    * The Apache Software License, Version 1.1
>    *
>    *
>    * Copyright (c) 2001 The Apache Software Foundation.  All rights
>    * reserved.
>    *
>    * Redistribution and use in source and binary forms, with
> or without
>    * modification, are permitted provided that the following
> conditions
>    * are met:
>    *
>    * 1. Redistributions of source code must retain the above copyright
>    *    notice, this list of conditions and the following disclaimer.
>    *
>    * 2. Redistributions in binary form must reproduce the
> above copyright
>    *    notice, this list of conditions and the following
> disclaimer in
>    *    the documentation and/or other materials provided with the
>    *    distribution.
>    *
>    * 3. The end-user documentation included with the redistribution,
>    *    if any, must include the following acknowledgment:
>    *       "This product includes software developed by the
>    *    Apache Software Foundation (http://www.apache.org/)."
>    *    Alternately, this acknowledgment may appear in the
> software itself,
>    *    if and wherever such third-party acknowledgments
> normally appear.
>    *
>    * 4. The names "Axis" and "Apache Software Foundation" must
>    *    not be used to endorse or promote products derived from this
>    *    software without prior written permission. For written
>    *    permission, please contact apache@apache.org.
>    *
>    * 5. Products derived from this software may not be called
> "Apache",
>    *    nor may "Apache" appear in their name, without prior written
>    *    permission of the Apache Software Foundation.
>    *
>    * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
>    * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>    * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
>    * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
>    * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>    * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>    * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
>    * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
> CAUSED AND
>    * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> LIABILITY,
>    * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
> ANY WAY OUT
>    * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> POSSIBILITY OF
>    * SUCH DAMAGE.
>    *
> ====================================================================
>    *
>    * This software consists of voluntary contributions made by many
>    * individuals on behalf of the Apache Software Foundation.
>  For more
>    * information on the Apache Software Foundation, please see
>    * <http://www.apache.org/>.
>    */
>
>   package org.apache.axis.security;
>
>   /** The Axis security provider interface
>    *
>    * As Axis is designed for use in embedded environments, those
>    * environments will often contain their own security databases and
>    * potentially authentication managers.  This interface allows Axis
>    * to obtain authentication information from an opaque source which
>    * will presumably be configured into the engine at startup time.
>    *
>    * @author Glen Daniels (gdaniels@macromedia.com)
>    */
>   public interface SecurityProvider
>   {
>       /** Authenticate a user from a username/password pair.
>        *
>        * @param username the user name to check
>        * @param password the password to check
>        * @return an AuthenticatedUser or null
>        *
>        * NOTE: Since the classes implementing this are going
> to need to
>        * be Axis-aware anyway, we might just pass the MessageContext
>        * here instead, and let the provider authenticate
> against whatever
>        * it wants...?
>        */
>       public AuthenticatedUser authenticate(String username, String
> password);
>
>       /** See if a user matches a principal name.  The name
> might be a user
>        * or a group.
>        *
>        * @return true if the user matches the passed name
>        */
>       public boolean userMatches(AuthenticatedUser user,
> String principal);
>   }
>
>
>
>
>



Mime
View raw message