axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pathak, Sanjesh" <Sanjesh.Pat...@ENRON.com>
Subject RE: Axis - HTTPS and SSL
Date Mon, 12 May 2003 18:50:16 GMT
Hi Pankaj,

You solution about Servlet filter is a good one. Also, now it is clear to me about what you
meant by declarations in web.xml and Axis client's inability for automatic redirection.

Thanks for the input.

Sanjesh

-----Original Message-----
From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:pankaj_kumar@hp.com]
Sent: Monday, May 12, 2003 11:24 AM
To: 'axis-user@ws.apache.org'
Subject: RE: Axis - HTTPS and SSL


Hi Sanjesh,

You have a good solution to the problem. In fact, you can get signficantly
more information about the client from javax.servlet.HttpServletRequest in
your handler and use that to allow or deny the request.

Another solution is write a Servlet filter. The servlet filter would
intercept the request much earlier and hence could save processing time.

While going through my previous email, I realized that I was not completely
precise. I wrote:

> Servlet specification allows selective specification of HTTPS 
> connections
> only for certain URLs in web.xml file (element 
> <tansport-gurantee>, look at
> Servlet Specification for details). However, this doesn't 
> work with Axis
> client as the basic mechanism is HTTP URL Redirect and Axis 
> client does not
> follow URL redirects.

However, you can still use the web.xml declarations to allow only HTTPS
requests. You will have to use https:// URL in your request. What is not
possible with Axis client is the automatic redirection of an HTTP request to
HTTPS port. Also, if you use https:// URL, you get a not very helpful error
message. Still, this could be the simplest solution.

Hope this helps.

/Pankaj.

> -----Original Message-----
> From: Pathak, Sanjesh [mailto:Sanjesh.Pathak@ENRON.com]
> Sent: Monday, May 12, 2003 9:04 AM
> To: axis-user@ws.apache.org
> Subject: RE: Axis - HTTPS and SSL
> 
> 
> Hi Nicolas and Pankaj,
> 
> After reading this email I got interested in finding a 
> solution. I did some research on how to extract the 
> information about secure communication and found out that 
> javax.servlet.ServletRequest has isSecure() method that 
> returns true or false whether the request came through secure 
> communication (according to javadoc - "Returns a boolean 
> indicating whether this request was made using a secure 
> channel, such as HTTPS").
> 
> Nicolas,
> I have created a handler (see attached files - 
> SecureTransportAcceptHandler.java and 
> SecureTransportAcceptHandler.class). Put the handler class in 
> Axis CLASSPATH (you can drop it in 
> weapps\axis\WEB-INF\classes directory). And add this handler 
> to the request flow of the service definition in Axis' 
> server-config.wsdd file. For example:
> 
>  <service name="SimpleSSLService" provider="java:RPC">
>   <requestFlow>
>    <handler type="java:SecureTransportAcceptHandler"/>
>   </requestFlow>
>   <parameter name="allowedMethods" value="*"/>
>   <parameter name="className" value="simple.ssl.Service"/>
>  </service>
> 
> Re-start the Tomcat server and you service can now be 
> accessed only through HTPPS. I have tested it and it works.
> 
> Pankaj, I woud like to hear your comments on this as you have 
> more knowleadge in the security area.
> 
> Sanjesh
> 
> -----Original Message-----
> From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:pankaj_kumar@hp.com]
> Sent: Thursday, May 08, 2003 11:03 AM
> To: 'axis-user@ws.apache.org'
> Subject: RE: Axis - HTTPS and SSL
> 
> 
> Hi Nicolas,
> 
> You can comment out HTTP Connector listening at 8080 in server.xml of
> Tomcat. However, this will block all HTTP communication.
> 
> Servlet specification allows selective specification of HTTPS 
> connections
> only for certain URLs in web.xml file (element 
> <tansport-gurantee>, look at
> Servlet Specification for details). However, this doesn't 
> work with Axis
> client as the basic mechanism is HTTP URL Redirect and Axis 
> client does not
> follow URL redirects.
> 
> Others are welcome to comment.
> 
> /Pankaj.
> 
> > -----Original Message-----
> > From: Nicolas Johnson [mailto:nicolas.johnson@e-markets.com]
> > Sent: Thursday, May 08, 2003 8:53 AM
> > To: Axis-User
> > Subject: Axis - HTTPS and SSL
> > 
> > 
> > Hi,
> > 
> > I am trying to setup a secure webservice using SSL.  I have 
> configured
> > TOMCAT to use SSL.  However, I am lacking documentation on 
> > how to deploy the
> > webservice to ONLY be available on https: on port 8443.  
> > Currently, it is
> > showing up on my secure web service as well as the standard 
> > port 8080.  Any
> > thoughts?
> > 
> 
> 
> **********************************************************************
> This e-mail is the property of Enron Corp. and/or its 
> relevant affiliate and may contain confidential and 
> privileged material for the sole use of the intended 
> recipient (s). Any review, use, distribution or disclosure by 
> others is strictly prohibited. If you are not the intended 
> recipient (or authorized to receive for the recipient), 
> please contact the sender or reply to Enron Corp. at 
> enron.messaging.administration@enron.com and delete all 
> copies of the message. This e-mail (and any attachments 
> hereto) are not intended to be an offer (or an acceptance) 
> and do not create or evidence a binding and enforceable 
> contract between Enron Corp. (or any of its affiliates) and 
> the intended recipient or any other party, and may not be 
> relied on by anyone as the basis of a contract by estoppel or 
> otherwise. Thank you. 
> **********************************************************************
> 
> 

Mime
View raw message