axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Douglas Bitting <Douglas.Bitt...@agile.com>
Subject RE: Enabling HTTP Coookies (was J2EE Container Manages Security)
Date Wed, 26 Jun 2002 17:03:22 GMT
Hmmm... I think your hypothesis is incorrect.  Presumably, this is what your setup looks like:

             http                 http
HTTP Client ------> Servlet/J2EE ------> Web Service

If this is the case, then the session between the HTTP Client and the Servlet/J2EE node is
authenticated.  However, the connection between
Servlet/J2EE and the Web Service is an entirely different connection and needs its own authentication/authorization
step.  That is, the security
context does not propogate since it is an entirely different HTTP connection.

Cheers,
--Doug

-----Original Message-----
From: 
Sent: Wednesday, June 26, 2002 9:51 AM
To: 'axis-user@xml.apache.org'
Subject: Enabling HTTP Coookies (was J2EE Container Manages Security)


Thanks for your response. Since I'm using J2ee container managed security
and I'm calling the web service from the context of a resource the user has
already authenticated to, all I need to do (hypothetically) is enable
cookies for the axis call. The container should pick up the session ID and
authenticate the user for me.

The problem I'm having now is getting Axis to send the cookies. Can this be
done without a custom handler? Calling setMaintainSession(true) on the Call
does not seem to be working.

Wes


-----Original Message-----
From: Douglas Bitting [mailto:Douglas.Bitting@agile.com]
Sent: Tuesday, June 25, 2002 11:55 AM
To: 'axis-user@xml.apache.org'; 'Wes Hinkle'
Subject: RE: J2EE Container Manages Security


Without getting into too much detail, this isn't difficult to do.

+) Put a handler in the requestFlow of your service.  For example,

<service ...>
  ...
  <requestFlow>
    <handler type="java:your.handler.class.here"/>
  </requestFlow>
</service>

+) Your handler class should extend BasicHandler and implement
invoke(MessageContext msgContext).

+) You can pick up the username/password from the message context.  If you
are using HTTP BASIC authentication, the protocol requestFlow handler
HTTPAuthHandler should have populated msgContext.getUsername() and
msgContext.getPassword().  If you're using some other method to pass
username/password, this step is left up to you to figure out... :-)

+) Use weblogic.servlet.security.ServletAuthentication.weak(username,
password, session) to authenticate.

This works for me on WL 6.1...
--Doug

-----Original Message-----
From: Wes Hinkle [mailto:hinklew@synovation.com]
Sent: Tuesday, June 25, 2002 11:44 AM
To: 'axis-user@xml.apache.org'
Subject: J2EE Container Manages Security


Has anyone had any experience integrating Axis services with WebLogic
container managed security?
I have a web service is called from an applet in the context of a Web
application. The user is authenticated by the Web tier. The service calls an
EJB and must return data based on the caller principle. getCallerPrinciple()
always returns 'guest'.
- I've tried configuring the web service to pass the sessionId with the
request by calling setMaintainSession(true) on the Call object and
configuring the scope of the service to 'Session'
- I've also tried putting a security constraint in Web.xml allowing the role
everyone access to the url pattern services/* (this broke connectivity to
the service)

Any suggestions would be greatly appreciated.

Wes

Mime
View raw message