Mailing-List: contact axis-user-help@xml.apache.org; run by ezmlm
Message-ID: <000901c1f77e$d07f53f0$f386e80c@c1790164a>
From: "Dan Chisholm" <danchisholm@attbi.com>
To: <axis-user@xml.apache.org>
References: <8116937DB3D6EB41AB0EB191AFB811601131B7@cammmsx01.sapient.com>
Subject: Re: Authentication and digital signatures
Date: Thu, 9 May 2002 10:27:37 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Authentication and digital signaturesNaresh,

Basic Authentication and SSL can be handled directly by your web server.
The following are links to the relevant Tomcat How-To.

http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html

Of course, Basic Authentication and SSL are just the beginning of web
security.

If you would like to see some examples of security using Axis, then you
might want to check out the book titled "Building Web Services using Java".
Some of the authors are working on the Axis project and frequently post
here.

If you would like to take a look at the examples, then go to the publisher's
web page.

http://www.samspublishing.com/

Type the ISBN number, 0672321815, into the search engine.

Click on the book cover and then click on downloads. Make sure that you
download both the example.zip file and the install.html file.

Chapter five covers security.

Of course, reading the book along with the examples is a really good idea.
Although I have not yet finished reading the book, I highly recommend it.

Example one is basic Authentication.  Example two sets up the keystores
necessary to run SSL in example three.  Example four covers digital
signatures.  However, example four requires you to download the IBM WSTK.

A JSP acts as the client for the examples.  The advantage is that it
provides a nice GUI.

The examples are written for Tomcat 3.2.4 and run well on that version.
However, if you would like to run the examples on Tomcat 4.0.3 or 4.0.4,
then you will need to make a few modifications.  If you would like some
instructions, then just ask and I'll post them for you.

There is a minor bug in Example 1 of Chapter five.  You can fix it my just
shortening
a text string.

Open the following file.

%TOMCAT_HOME%\webapps\bws\ch5\ex1\index.jsp

Example One fails to compile due to the following line of code in the catch
clause of a try/catch block.

invoiceXML = "POSubmission has been failed because of invalid user id or
password. Please check &lt;<i>jakarta-tomcat\conf\tomcat-users.xml<i>&gt;.
For more detail, please see the installation instruction on the book
website.";

The error is due to an illegal escape character in the text string. The easy
solution is to shorten the message as shown below.

invoiceXML = "POSubmission has been failed because of invalid user id or
password. ";

The above error message is what you will see if you fail to add the
"SkateboardWarehouse" user to the tomcat-users.xml file as described in the
installation instructions that come with the examples.

Dan


----- Original Message -----
From: Naresh Bhatia
To: 'axis-user@xml.apache.org'
Sent: Thursday, May 09, 2002 9:31 AM
Subject: Authentication and digital signatures


Could the group clarify the relationship between Authentication and Digital
Signatures? Somewhere in the posts I read that Digital Signatures can sign a
message but that is not the same as authentication.
1) Why is this distinction made?
2) I am trying to do is some basic user authentication, perhaps using the
Servlet 2.2 security/roles. I understand that Axis supports this. Is there
an example of this?
3) How can I get the username and password in the code that implements my
web service? I need that to log in to another service.
Thanks
Naresh