axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rudi Verago \[vlain\]" <vl...@libero.it>
Subject Re: WS-security,SAML,XACML and co.
Date Thu, 20 Nov 2003 18:38:03 GMT
I know it but it's over ssl and therefore i use tomcat. 
I try to made up two different authoritation method: one with jaas-tomcat real
and one with ssl+axis basi auth.
Thanks,
Aloha

-> Hi Rudi,
-> 
->   What we have done is implement Axis/JAX-RPC client and server side 
-> handlers.  The client side handler attaches a credential in the HTTP 
-> header ("Authorization" heaer), and the server side handler 
-> authenticates it, and makes the user id available in both the 1) 
-> MessageContext in AuthenticatedUser axis object (I believe) and also in 
-> 2) getRemoteUser() of the servletrequest (using a servletrequest 
-> wrapper).  You can get configure and get parameters into the server side 
-> handler through the server side deployment descriptor (wsdd).  You can 
-> get configuration parameters into your client-side handler by  
-> dynamically registering it with a handlerinfo and Map with params, and 
-> runtime parameters by using _setProperty on the stub object (i think).  
-> The stub properties get propagated to the MessageContext of the client 
-> handler (this is true at least in 1.1, but not in 1.0).
-> 
-> We went this way because it doesn't seem like WSSE is fully cooked (or 
-> at least fully implemented and easy to use).
-> 
-> I also tried using SOAP headers in the envelope themselves (instead of 
-> out of band HTTP headers), but could not retrieve them in the server 
-> side handler for some reason, so I gave up on that.
-> 
-> The whole thing can be thrown over SSL so that should provide your 
-> on-wire safety.
-> 
-> Aaron Hamid
-> CIT/I&D
-> Cornell University
-> 
-> Rudi Verago [vlain] wrote:
-> 
-> >I need user/call authentication in a swing application. 
-> >Beginnig I want to use SAML and SSO but opensaml implementation has no
documentation and samples, then I try 
-> >XACML but nothing; same thing for xml security at Apache: without sample
it's hard. 
-> >Axis auth methods aren't safe. 
-> >Now I try to implement JAAS real on tomcat and ssl connection. 
-> >Is it the "simple" only solution? 
-> >Thanks, 
-> > 
-> >~~~~~~~~~~~~~~~ 
-> >Rudi Verago [vLAiN] 
-> >vlain@libero.it 
-> >~~~~~~~~~~~~~~~ 
-> >
-> >  
-> >
-> 
-> 

~~~~~~~~~~~~~~~
Rudi Verago [vLAiN]
vlain@libero.it
~~~~~~~~~~~~~~~


Mime
View raw message