axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Reynolds <...@RonReynolds.com>
Subject Re: Authenticating users
Date Mon, 21 Nov 2005 05:36:43 GMT
you can extract all the security info by looking at the Vector stored as 
a property in the MessageContext:
Vector resultHandlers = 
(Vector)MessageContext.getCurrentContext().getProperty(WSHandlerConstants.RECV_RESULTS);

this vector contains, as far as i can tell, everything you could want to 
know. 

or you can extract the username from the message itself -
ArrayList actorList = new ArrayList();
actorList.add("actor value for my UsernameToken entry");
Message request = MessageContext.getCurrentContext().getRequestMessage();
SOAPEnvelope envelope = (SOAPEnvelope)request.getSOAPEnvelope();
Vector headers = envelope.getHeadersByActor(actorList);
SOAPHeaderElement header = (SOAPHeaderElement)headers.get(0);

you can then extract the actual username by walking the DOM tree to the 
node which contains the username
MessageElement usernameTokenElement = 
header.getChildElement(USERNAME_TOKEN_QNAME);
MessageElement usernameElement = 
usernameTokenElement.getChildElement(USERNAME_QNAME);
String username = usernameElement.getValue();

(you'll also need these)
static final QName USERNAME_TOKEN_QNAME = new QName(WSConstants.WSSE_NS, 
WSConstants.USERNAME_TOKEN_LN);
static final QName USERNAME_QNAME = new QName(WSConstants.WSSE_NS, 
WSConstants.USERNAME_LN);

in my app i have a handler which i put in the request chain right after 
the WSDoAllReceiver which extracts the username using the above code, 
does an LDAP lookup of the user to gather roles, and then creates an 
app-specific user object which it stores it as a properly in the 
MessageContext where anyone in the handling chain can then extract it 
via getProperty().

hth.
......................ron.

Michael Rudolf wrote:

> Thanks a lot for the detailed description! I think this will work fine 
> for me. One more question about this though: Can i read the username 
> inside the web service? Or is there any way of getting information 
> like the group a user belongs to inside the web service to read it 
> there? It sounds like the Service does get any of this info since the 
> authentication is completely transparent to the service itself.
> Thanks.
> Michael
>
>> by "Web Services are made out of Session EJBs" you mean you have 
>> Session EJBs that expose a SOAP-over-HTTP interface?  WSS4J uses 2 
>> handlers, one client-side and one server-side (WSDoAllSender (client) 
>> and WSDoAllReceiver (server)) which plug into the handler chain 
>> supported by Axis to "intercept" the request on its way to the 
>> server.  WSDoAllSender adds a WSSecurity header to the SOAP message 
>> on send (configured using a properties file).  WSDoAllReceiver then 
>> processes the incoming message, validates whatever it's configured to 
>> validate and then passes the request on to your handlers/service (or 
>> rejects the message if it does not validate properly).  to add 
>> UsernameTokens to a request and process them on the server requires a 
>> CallbackHandler on the client side which can provide the password for 
>> a user.  this is then processed into a UsernameToken, included in the 
>> SOAP header, and on the server side you'll need another 
>> CallbackHandler which can provide the password for the user (pulled 
>> from LDAP) which WSS4J will compare to what's provided in the 
>> UsernameToken and thus authenicate the message before your service 
>> (however it's implemented) ever gets called.  it's quite transparent 
>> for the most part.  it also inserts a few entries in the 
>> MessageContext so you can later determine what kind of authenication 
>> has been done.
>>
>> hth.
>> .......................ron.
>> Michael Rudolf wrote:
>>
>>> Is there any difference in case the Web Services are made out of 
>>> Session EJBs? Or does WSS4J work the same way in that case?
>>> Thanks!
>>> Michael
>>>
>>>> you may want to look at WSS4J and UsernameTokens.  they're pretty
>>>> straight-forward as long as your client can support them.  they are 
>>>> part of
>>>> the WS-Security standard if you want to stick with "endorsed" 
>>>> authentication
>>>> mechanisms.  then on the server-side you'll typically need a JNDI 
>>>> interface to
>>>> your LDAP server to authenticate the user on that side.
>>>>
>>>> hth.
>>>> ................ron.
>>>>
>>>>  
>>>>
>>>>> Hi,
>>>>> is there any tutorial or example for authenticating users of we 
>>>>> services
>>>>> by username and pass over HTTPS? Can anybody explain in more 
>>>>> detail how
>>>>> this works? Is there any alternative to it? I want to query axis web
>>>>> sercvices from a portal. That uses LDAP for authetication. I would 
>>>>> like
>>>>> to use the same directory for authenticating the users at the web
>>>>> services that are being queried.
>>>>> Thanks for any help!
>>>>> Michael
>>>>>
>>>>>
>>>>>   
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>  
>>>>
>>>
>>
>>
>>
>


Mime
View raw message