axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Reynolds <>
Subject Re: Authenticating users
Date Sat, 19 Nov 2005 20:54:24 GMT
by "Web Services are made out of Session EJBs" you mean you have Session 
EJBs that expose a SOAP-over-HTTP interface?  WSS4J uses 2 handlers, one 
client-side and one server-side (WSDoAllSender (client) and 
WSDoAllReceiver (server)) which plug into the handler chain supported by 
Axis to "intercept" the request on its way to the server.  WSDoAllSender 
adds a WSSecurity header to the SOAP message on send (configured using a 
properties file).  WSDoAllReceiver then processes the incoming message, 
validates whatever it's configured to validate and then passes the 
request on to your handlers/service (or rejects the message if it does 
not validate properly).  to add UsernameTokens to a request and process 
them on the server requires a CallbackHandler on the client side which 
can provide the password for a user.  this is then processed into a 
UsernameToken, included in the SOAP header, and on the server side 
you'll need another CallbackHandler which can provide the password for 
the user (pulled from LDAP) which WSS4J will compare to what's provided 
in the UsernameToken and thus authenicate the message before your 
service (however it's implemented) ever gets called.  it's quite 
transparent for the most part.  it also inserts a few entries in the 
MessageContext so you can later determine what kind of authenication has 
been done.

Michael Rudolf wrote:

> Is there any difference in case the Web Services are made out of 
> Session EJBs? Or does WSS4J work the same way in that case?
> Thanks!
> Michael
>> you may want to look at WSS4J and UsernameTokens.  they're pretty
>> straight-forward as long as your client can support them.  they are 
>> part of
>> the WS-Security standard if you want to stick with "endorsed" 
>> authentication
>> mechanisms.  then on the server-side you'll typically need a JNDI 
>> interface to
>> your LDAP server to authenticate the user on that side.
>> hth.
>> ................ron.
>>> Hi,
>>> is there any tutorial or example for authenticating users of we 
>>> services
>>> by username and pass over HTTPS? Can anybody explain in more detail how
>>> this works? Is there any alternative to it? I want to query axis web
>>> sercvices from a portal. That uses LDAP for authetication. I would like
>>> to use the same directory for authenticating the users at the web
>>> services that are being queried.
>>> Thanks for any help!
>>> Michael

View raw message