axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keeney, Thomas" <Keen...@SEC.GOV>
Subject RE: ServletSecurityProvider
Date Mon, 03 Feb 2003 15:16:48 GMT
The Authentication and Authorization Handlers apply to the entire service
description, so you'd have to declare two services in your WSDD, one with
security handlers and one without:

<service name="RS3" provider="java:RPC">
  <parameter name="allowedMethods" value="getName"/>
  <parameter name="scope" value="Application"/>
  <parameter name="className" value="com.vpharm.soap.RS3"/>

  <parameter name="allowedRoles" value="rs3"/>
  <requestFlow name="checks">
      <handler
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
      <handler
type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
    </requestFlow>
 </service>

<service name="RS3A" provider="java:RPC">
  <parameter name="methodName" value="getEmail"/>
  <parameter name="scope" value="Application"/>
  <parameter name="className" value="com.vpharm.soap.RS3"/>
</service>


Of course this will create two instances of your service, but since you have
them defined in Application scope, I'm assuming the implementations do not
need to maintain state between calls.  See the Reference Guide on the Axis
site for more info on the WSDD.

Tom

-----Original Message-----
From: Trevor Daniel Kramer [mailto:tdk98@stout.hampshire.edu]
Sent: Friday, January 31, 2003 8:21 PM
To: 'axis-user@xml.apache.org'
Subject: RE: ServletSecurityProvider


Thanks - That worked great.  One more question.  Is there a way to
specifiy that only certain methods within a service need to be
authenticated?

For instance given this wsdd:

<service name="RS3" provider="java:RPC">
  <parameter name="methodName" value="*"/>
  <parameter name="scope" value="Application"/>
  <parameter name="className" value="com.vpharm.soap.RS3"/>

  <parameter name="allowedRoles" value="rs3"/>
  <requestFlow name="checks">
      <handler
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
      <handler
type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
    </requestFlow>
 </service>

Is there a way to specify that the methods getName should use security
but getEmail should not?

Trevor

On Fri, 31 Jan 2003, Keeney, Thomas wrote:

> Trevor,
>
> Here's how you set it up:
>
> 1) In web.xml, add the following init-param for the AxisServlet.  This
> enables the provider by adding it as a MessageContext property:
>         <init-param>
>             <param-name>use-servlet-security</param-name>
>             <param-value>1</param-value>
>         </init-param>
>
> 2) In web.xml set authentication method to BASIC.  (I wanted to use the
> ServletSecurityProvider in my web service, but this is where I had the
> problem.  I had to use FORM authentication, uggh.. If anyone knows how I
can
> set up Axis Security with FORM authentication, please let me know.)
>
> 3) In your WSDD (see below), add the Authentication and Authorization
> Handlers and set up the roles that are authorized for your web service.
> Note that the SimpleAuthenticationHandler looks for a SecurityProvider in
> the MessageContext (which you added in Step 1).  If it doesn't find it, it
> fails back to the SimpleSecurityProvider that authenticates against the
> users.lst file.
>   <service name="urn:xmltoday-delayed-quotes" provider="java:RPC">
>     <parameter name="className" value="samples.stock.StockQuoteService"/>
>     <parameter name="wsdlServicePort" value="GetQuote"/>
>     <parameter name="allowedMethods" value="*"/>
>     <parameter name="allowedRoles" value="admin"/>
>     <requestFlow name="checks">
>       <handler
> type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
>       <handler
> type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
>     </requestFlow>
>   </service>
>
> 4) Pass the username/password in your client code.
>
> If you have any more problems, use tcpmon.  It helped me figure out alot
of
> things in Axis.
>
> Regards,
>
> Tom
>
>
>
>
>
> -----Original Message-----
> From: Trevor Daniel Kramer [mailto:tdk98@stout.hampshire.edu]
> Sent: Friday, January 31, 2003 10:52 AM
> To: axis-user@xml.apache.org
> Subject: ServletSecurityProvider
>
>
> The javadoc says
>
> A ServletSecurityProvider, combined with the ServletAuthenticatedUser
> class, allows the standard servlet security mechanisms (isUserInRole(),
> etc.) to integrate with Axis' access control mechanism. By utilizing this
> class (which the AxisServlet can be configured to do automatically),
> authentication and role information will come from your servlet engine.
>
> But I can't find any instructions on how to set this up.  I would like to
> use  a jdbc realm setup in tomcat to authenticate users to some soap
> services.
>
> Thanks,
>
> Trevor
>

Mime
View raw message