axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ron Reynolds" <...@RonReynolds.com>
Subject Re: Authenticating users
Date Mon, 21 Nov 2005 21:53:04 GMT
the handler for exracting the login name?  that's basically the code i
included below to extract from the incoming message, then create the user
object, hit the LDAP server (through JNDI api) and then store (actually in a
thread-local so even non-Axis code can get the current user).  the rest is to
include it thus in your server-config.wsdd:

  <service name="FreezerWS" provider="java:RPC" style="document" use="literal">
    <!-- WS-Security handlers -->
    <requestFlow>
      <!-- the header that carries the user's login-name -->
      <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
        <parameter name="action"                value="UsernameToken"/>
        <parameter name="actor"                 value="loginName"/>
        <parameter name="passwordCallbackClass" value="ServerSidePWCallback"/>
      </handler>

      <!-- add a handler that populates the session given the user's
login-name -->
      <handler
type="java:com.amgen.seattle.appdev.freezer.webservice.server.WSLoginNameHandler">
        <!-- the actor of the UsernameToken header with the login-name -->
        <parameter name="headerActor" value="loginName"/>
      </handler>
    </requestFlow>

that's about it.

the best documentation on WSS4J (or at least links to it) SHOULD be in the
Wiki ( http://wiki.apache.org/ws/FrontPage/WsFx ) but i'm not certain one
could say that yet...  i keep a short list of good resources i've found here
http://wiki.apache.org/ws/RonReynolds/Wss4jLinks but it's only a handful of
links but it might give you a starting point. :)  search around in the Wiki
and then your next best bet are the 2 wss4j docs and then Google...

..................ron.

> Thx for your help. I figured it out now. Didnt see one section of the
> WSS4J documentation. You can set the EngineConfiguration to use a wsdd
> file inside the program code. As long as this is readable from the
> servlet everythings fine.
> Is there any good tutorial or documentation on developing these Handlers
> like you explained below? I dunno if you mind sharing your Handler
> implementation. It would be interesting to see how you did this.
> Thanks alot!
> Michael
>
>>i haven't tried this.  it certainly must be possible, but right now i haven't
>>the time to figure it out.
>>
>>i would start at MessageContext.getAxisEngine().getGlobalRequest() and search
>>in that area.  the file itself is loaded by
>>org.apache.axis.configuration.EngineConfigurationFactoryDefault.  also i seem
>>to remember someone mentioning that you could access the global request flow
>>and insert a handler into that flow at runtime.  also if you have permissions
>>you can call System.setProperty() from a startup servlet (if you want a
>>possibly much simpler solution that opens up a bunch of possible bugs if
>>another servlet in the same servlet engine tries to connect to a different
>> web
>>service...)
>>
>>sorry i couldn't be of more help. :-/
>>...............ron.
>>
>>
>>
>>
>>>Ok...i dont use the client_deploy.wsdd....is there any way to avoid
>>>using it? I have the client inside a servlet so i cant specify it with
>>>the java -D.... command line.
>>>Thx!
>>>Michael
>>>
>>>
>>>
>>>>do you have this in your client-config.wsdd?
>>>><deployment ...>
>>>> <transport .../>
>>>> <globalConfiguration>
>>>>   <requestFlow>
>>>>     <!-- add the header that carries the user's login-name -->
>>>>     <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
>>>>       <parameter name="action" value="UsernameToken"/>
>>>>       <parameter name="actor"  value="loginName"/>
>>>>       <parameter name="passwordCallbackClass" value="PWCallback"/>
>>>>     </handler>
>>>>?
>>>>
>>>>otherwise there won't be any handler in the request flow that knows what to
>>>>do
>>>>with those properties.
>>>>
>>>>hth.
>>>>.............ron.
>>>>
>>>>
>>>>
>>>>
>>>>>Ok, so i got the server working basically (i think) but when calling it
>>>>>i get the following exception at the client:
>>>>>
>>>>>AxisFault
>>>>>faultCode:
>>>>>{http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
>>>>>faultSubcode:
>>>>>faultString: WSDoAllReceiver: Request does not contain required
>>>>>Security header
>>>>>
>>>>>
>>>>>Thats the client code so far:
>>>>>
>>>>>try {
>>>>>         binding = new al.JCT.service.JCTServiceLocator().getJCTSession();
>>>>>         Stub axisPort = (Stub)binding;
>>>>>         axisPort._setProperty(UsernameToken.PASSWORD_TYPE,
>>>>>WSConstants.PASSWORD_DIGEST);
>>>>>         axisPort._setProperty(WSHandlerConstants.USER, "wss4j");
>>>>>         axisPort._setProperty(WSHandlerConstants.PW_CALLBACK_REF, new
>>>>>PWCallback());
>>>>>     }
>>>>>     catch (javax.xml.rpc.ServiceException jre) {
>>>>>         jre.printStackTrace();
>>>>>         return;
>>>>>     }
>>>>>
>>>>>     try {
>>>>>         al.JCT.service.Job[] value = null;
>>>>>         String ids[] = {"1218"};
>>>>>         value = binding.getJobStatus("rudi", "qw", null, ids);
>>>>>         if (value != null) {
>>>>>           for (int i=0; i < value.length; i++) {
>>>>>             System.out.println(value[i].getId() + " - " +
>>>>>value[i].getName() + " - " + value[i].getPe());
>>>>>             System.out.println(value[i].getReservations());
>>>>>             System.out.println(value[i].getOutputPaths()[0].getPath());
>>>>>           }
>>>>>         }
>>>>>         binding.submitJob(null, null, null);
>>>>>     }
>>>>>     catch (java.rmi.RemoteException re) {
>>>>>       re.printStackTrace();
>>>>>       return;
>>>>>     }
>>>>>
>>>>>
>>>>>Any ideas on this one?
>>>>>
>>>>>Thx!
>>>>>Michael
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>you can extract all the security info by looking at the Vector stored
>>>>>>as a property in the MessageContext:
>>>>>>Vector resultHandlers =
>>>>>>(Vector)MessageContext.getCurrentContext().getProperty(WSHandlerConstants.RECV_RESULTS);
>>>>>>
>>>>>>
>>>>>>this vector contains, as far as i can tell, everything you could want
>>>>>>to know.
>>>>>>or you can extract the username from the message itself -
>>>>>>ArrayList actorList = new ArrayList();
>>>>>>actorList.add("actor value for my UsernameToken entry");
>>>>>>Message request = MessageContext.getCurrentContext().getRequestMessage();
>>>>>>SOAPEnvelope envelope = (SOAPEnvelope)request.getSOAPEnvelope();
>>>>>>Vector headers = envelope.getHeadersByActor(actorList);
>>>>>>SOAPHeaderElement header = (SOAPHeaderElement)headers.get(0);
>>>>>>
>>>>>>you can then extract the actual username by walking the DOM tree to
>>>>>>the node which contains the username
>>>>>>MessageElement usernameTokenElement =
>>>>>>header.getChildElement(USERNAME_TOKEN_QNAME);
>>>>>>MessageElement usernameElement =
>>>>>>usernameTokenElement.getChildElement(USERNAME_QNAME);
>>>>>>String username = usernameElement.getValue();
>>>>>>
>>>>>>(you'll also need these)
>>>>>>static final QName USERNAME_TOKEN_QNAME = new
>>>>>>QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN);
>>>>>>static final QName USERNAME_QNAME = new QName(WSConstants.WSSE_NS,
>>>>>>WSConstants.USERNAME_LN);
>>>>>>
>>>>>>in my app i have a handler which i put in the request chain right
>>>>>>after the WSDoAllReceiver which extracts the username using the above
>>>>>>code, does an LDAP lookup of the user to gather roles, and then
>>>>>>creates an app-specific user object which it stores it as a properly
>>>>>>in the MessageContext where anyone in the handling chain can then
>>>>>>extract it via getProperty().
>>>>>>
>>>>>>hth.
>>>>>>......................ron.
>>>>>>
>>>>>>Michael Rudolf wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Thanks a lot for the detailed description! I think this will work
>>>>>>>fine for me. One more question about this though: Can i read the
>>>>>>>username inside the web service? Or is there any way of getting
>>>>>>>information like the group a user belongs to inside the web service
>>>>>>>to read it there? It sounds like the Service does get any of this
>>>>>>>info since the authentication is completely transparent to the
>>>>>>>service itself.
>>>>>>>Thanks.
>>>>>>>Michael
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>by "Web Services are made out of Session EJBs" you mean you
have
>>>>>>>>Session EJBs that expose a SOAP-over-HTTP interface?  WSS4J
uses 2
>>>>>>>>handlers, one client-side and one server-side (WSDoAllSender
>>>>>>>>(client) and WSDoAllReceiver (server)) which plug into the
handler
>>>>>>>>chain supported by Axis to "intercept" the request on its
way to the
>>>>>>>>server.  WSDoAllSender adds a WSSecurity header to the SOAP
message
>>>>>>>>on send (configured using a properties file).  WSDoAllReceiver
then
>>>>>>>>processes the incoming message, validates whatever it's configured
>>>>>>>>to validate and then passes the request on to your handlers/service
>>>>>>>>(or rejects the message if it does not validate properly).
 to add
>>>>>>>>UsernameTokens to a request and process them on the server
requires
>>>>>>>>a CallbackHandler on the client side which can provide the
password
>>>>>>>>for a user.  this is then processed into a UsernameToken,
included
>>>>>>>>in the SOAP header, and on the server side you'll need another
>>>>>>>>CallbackHandler which can provide the password for the user
(pulled
>>>>>>>>
>>>>>>>>
>>>>>>>>from LDAP) which WSS4J will compare to what's provided in
the
>>>>>>>
>>>>>>>
>>>>>>>>UsernameToken and thus authenicate the message before your
service
>>>>>>>>(however it's implemented) ever gets called.  it's quite transparent
>>>>>>>>for the most part.  it also inserts a few entries in the
>>>>>>>>MessageContext so you can later determine what kind of authenication
>>>>>>>>has been done.
>>>>>>>>
>>>>>>>>hth.
>>>>>>>>.......................ron.
>>>>>>>>Michael Rudolf wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>Is there any difference in case the Web Services are made
out of
>>>>>>>>>Session EJBs? Or does WSS4J work the same way in that
case?
>>>>>>>>>Thanks!
>>>>>>>>>Michael
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>you may want to look at WSS4J and UsernameTokens.
 they're pretty
>>>>>>>>>>straight-forward as long as your client can support
them.  they
>>>>>>>>>>are part of
>>>>>>>>>>the WS-Security standard if you want to stick with
"endorsed"
>>>>>>>>>>authentication
>>>>>>>>>>mechanisms.  then on the server-side you'll typically
need a JNDI
>>>>>>>>>>interface to
>>>>>>>>>>your LDAP server to authenticate the user on that
side.
>>>>>>>>>>
>>>>>>>>>>hth.
>>>>>>>>>>................ron.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>Hi,
>>>>>>>>>>>is there any tutorial or example for authenticating
users of we
>>>>>>>>>>>services
>>>>>>>>>>>by username and pass over HTTPS? Can anybody explain
in more
>>>>>>>>>>>detail how
>>>>>>>>>>>this works? Is there any alternative to it? I
want to query axis web
>>>>>>>>>>>sercvices from a portal. That uses LDAP for authetication.
I
>>>>>>>>>>>would like
>>>>>>>>>>>to use the same directory for authenticating the
users at the web
>>>>>>>>>>>services that are being queried.
>>>>>>>>>>>Thanks for any help!
>>>>>>>>>>>Michael
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
>



Mime
View raw message