axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kraus, Bernhard" <bernhard.kr...@FIZ-Karlsruhe.DE>
Subject Axis/EJB/Security
Date Thu, 04 May 2006 12:23:45 GMT
Hi all,

I am using Axis (1.2) to expose a Stateless Session EJB (2.1) as Webservice
using the Axis EJBProvider on a JBoss (4.0.3) Application Server.
The Webservices and EJB are the service layer of the application and the
next layer (POJO framework) is the business layer.
The plan for the security framework is to handle the authorization using AOP
before and after the business layer, but to avoid using username/password as

parameter in the business/service layer code.

I tried using the XML RPC security implementation on client side:
import javax.xml.rpc.Stub;
Stub msg = (javax.xml.rpc.Stub) stub;
msg._setProperty(Stub.USERNAME_PROPERTY,"username");
msg._setProperty(Stub.PASSWORD_PROPERTY,"password");

The Axis framework EJBProvider fills the user information as described from
the msgContext:
Implementation is similar to:
...
props.put( Context.SECURITY_PRINCIPAL, msgContext.getUsername() );
props.put( Context.SECURITY_CREDENTIALS, msgContext.getPassword() ); 
InitialContext initialContext = new InitialContext( props );
...
When accessing the EJB, the user principal is "anonymous" (default JBoss
setting).

I debugged the EJBProvider and username/password is filled from the
msgContext. The problem is to provide the username/password from Axis to EJB
Now how can I access the Context in the EJB layer? I implemented a
LoginHandler (using: org.jboss.security.auth.spi.AbstractServerLoginModule) 
but the principal and credential is still "null" even here. 

Is there any other option to access the information passed to EJB and write
them e.g. to ThreadLocal to access them from the business logic?

Regards,

Bernhard

Mime
View raw message