Return-Path: Delivered-To: apmail-ws-axis-user-archive@www.apache.org Received: (qmail 2781 invoked from network); 4 Dec 2003 13:08:53 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 4 Dec 2003 13:08:53 -0000 Received: (qmail 99774 invoked by uid 500); 4 Dec 2003 13:08:40 -0000 Delivered-To: apmail-ws-axis-user-archive@ws.apache.org Received: (qmail 99764 invoked by uid 500); 4 Dec 2003 13:08:40 -0000 Mailing-List: contact axis-user-help@ws.apache.org; run by ezmlm Precedence: bulk Reply-To: axis-user@ws.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list axis-user@ws.apache.org Received: (qmail 99753 invoked from network); 4 Dec 2003 13:08:40 -0000 From: "Tony Vieitez" To: Subject: RE: Authentication - Could anyone help me plzzzzzzz Date: Thu, 4 Dec 2003 13:08:35 -0000 Message-ID: <002301c3ba67$ba8a4ed0$b50aa8c0@SITRA14> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0024_01C3BA67.BA8A4ED0" In-Reply-To: <1070542763.4984.64.camel@HarryWS1.ksg.co.at> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N This is a multi-part message in MIME format. ------=_NextPart_000_0024_01C3BA67.BA8A4ED0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit OK, so if you have a container managed username and password protected web service, and the client classes are generated from the wsdl, if the person implementing the client code knows the usernmame and password, what would be the code for implementing access to the web service? Also, if anyone knows any articles on axis authentication/security, I would appreciate info on this Thanks Tony -----Original Message----- From: Harald Pollak [mailto:h.pollak@pke.at] Sent: 04 December 2003 12:59 To: axis-user@ws.apache.org Subject: Re: Authentication - Could anyone help me plzzzzzzz as i have understood: The handler is a thing befor the WS ( not part of it ) and the WSDL describe the WS - so elements only used in handler shouldn't and couldn't be described in Webservice, so you can only tell your opposit what to do in document the webservice in hardware ways ( email, letters, tell him ... ). best regards Harry Am Don, den 04.12.2003 schrieb Yogesh Pant um 13:49: Hello ppl, I have got a custom authentication handler. It authenticates the incoming message very well. My problem is that the generated wsdl has no mention of header elements at all. HOW DO I ACHIEVE THIS? Do I need to configure the deployment descriptor a little bit more? Please help. Thanks in advance. regards, - yogesh Sunil Iyengar wrote: Hi Tony, If you wanted to use application level security, maybe try using ws-security (encryption and signatures) using handlers in axis. You will find quite a few links on this in the axis mailing list. You may have to design the authentication protocol and then implement this using ws-security. Hope this helps :) Cheers Sunny *********************************************************** Sunil Iyengar, Research Fellow, Networks Group, Centre For Communication And Systems Research(CCSR), School of Electronics, Computing & Mathematics, University Of Surrey, Guildford GU2 7XH, Surrey, England, United Kingdom. Office: +44 (0)1483 686008 *********************************************************** On Thu, 4 Dec 2003, Tony Vieitez wrote: > Hi > > I asked a question on this subject recently, but I don't think I asked > it clearly enough, because the answers I got back, although helpful, > didn't quite give me the answer I was after. Now I understand a bit more > about authentication I can (hopefully) formulate my question a bit more > clearly. In fact, I have a number of questions which revolve around the > same subject: > > 1. I have implemented container level authentication, and have given the > client application access to the web service by implementing in this > client the following code: > > call.setUsername("myUsername"); > call.setPassword("myPassword"); > > This works fine. But how do I implement application level security, > instead of just relying on the web container to authenticate the calling > client? > > 2. As stated above, I have implemented container level authentication > for the whole of the axis web app, and now I want to use the Axis > Servlet to administer the system, I have to provide a username and > password but I get an unauthorised error. Here is what I did: > > At the command prompt I tried: > java org.apache.axis.client.AdminClient -l > http://myserver:8080/axis/servlet/AxisServlet list > > I also tried: > java org.apache.axis.client.AdminClient -l > http://myserver:8080/axis/servlet/AxisServlet -u myUsername -p > myPassword list > > and I got this: > Exception (401)Unauthorised > > As stated, this is container level security, which I would like to know > how to implement. I would also like to know how to implement application > level security, that is how to implement security that is part of axis > and not just rely on the security features that comes with tomcat > > Any insight into any of these issues would be most gratefully received > > Tony > > _____ Do you Yahoo!? Free Pop-Up Blocker - Get it now ------=_NextPart_000_0024_01C3BA67.BA8A4ED0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

OK, so if you have a container = managed username and password protected web service, and the client classes are generated = from the wsdl, if the person implementing the = client code knows the usernmame and password, what would = be the code for implementing access to the web = service?

 

Also, if anyone knows any articles = on axis authentication/security, I would appreciate info on = this

 

Thanks

 

Tony

 

-----Original = Message-----
From: Harald Pollak [mailto:h.pollak@pke.at]
Sent: 04 December 2003 = 12:59
To: = axis-user@ws.apache.org
Subject: Re: = Authentication - Could anyone help me plzzzzzzz

 

as i have understood:

The handler is a thing befor the WS ( not part of it ) and the WSDL = describe the WS - so elements only used in handler shouldn't and couldn't be = described in Webservice, so you can only tell your opposit what to do in document = the webservice in hardware ways ( email, letters, tell him ... ).

best regards
Harry

Am Don, den 04.12.2003 schrieb Yogesh Pant um 13:49: =

Hello = ppl,
I have got a custom authentication handler. It authenticates the = incoming message very well.
 
My problem is that the generated wsdl has no mention of header elements = at all. HOW DO I ACHIEVE THIS?
 
Do I need to configure the deployment descriptor a little bit more?
 
Please help.
 
Thanks in advance.
 
regards,
- yogesh
 
 
 
 
 
 
Sunil Iyengar <s.iyengar@eim.surrey.ac.uk> wrote: =

Hi Tony,
If you wanted to use application level security, maybe try using
ws-security (encryption and signatures) using handlers in axis. You = will
find quite a few links on
this in the axis mailing list.
You may have to design the authentication protocol and then implement = this
using ws-security.
Hope this helps :)

Cheers
Sunny

***********************************************************
Sunil Iyengar,
Research Fellow, Networks Group,
Centre For Communication And Systems Research(CCSR),
School of Electronics, Computing & Mathematics,
University Of Surrey, Guildford GU2 7XH,
Surrey, England, United Kingdom.
Office: +44 (0)1483 686008
***********************************************************

On Thu, 4 Dec 2003, Tony Vieitez wrote:

> Hi
>
> I asked a question on this subject recently, but I don't think I = asked
> it clearly enough, because the answers I got back, although = helpful,
> didn't quite give me the answer I was after. Now I understand a bit = more
> about authentication I can (hopefully) formulate my question a bit = more
> clearly. In fact, I have a number of questions which revolve around = the
> same subject:
>
> 1. I have implemented container level authentication, and have = given the
> client application access to the web service by implementing in = this
> client the following code:
>
> call.setUsername("myUsername");
> call.setPassword("myPassword");
>
> This works fine. But how do I implement application level = security,
> instead of just relying on the web container to authenticate the = calling
> client?
>
> 2. As stated above, I have implemented container level = authentication
> for the whole of the axis web app, and now I want to use the Axis =
> Servlet to administer the system, I have to provide a username = and
> password but I get an unauthorised error. Here is what I did:
>
> At the command prompt I tried:
> java org.apache.axis.client.AdminClient -l
> http://myserver:8080/axis/servlet/AxisServlet list
>
> I also tried:
> java org.apache.axis.client.AdminClient -l
> http://myserver:8080/axis/servlet/AxisServlet -u myUsername -p
> myPassword list
>
> and I got this:
> Exception (401)Unauthorised
>
> As stated, this is container level security, which I would like to = know
> how to implement. I would also like to know how to implement = application
> level security, that is how to implement security that is part of = axis
> and not just rely on the security features that comes with = tomcat
>
> Any insight into any of these issues would be most gratefully = received
>
> Tony
>
>

Do you = Yahoo!?
F= ree Pop-Up Blocker - Get it now

------=_NextPart_000_0024_01C3BA67.BA8A4ED0--