axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kraus, Bernhard" <bernhard.kr...@FIZ-Karlsruhe.DE>
Subject AW: Axis/EJB/Security
Date Thu, 04 May 2006 15:02:39 GMT
Hi Robert,
 
thank you for your answer. In fact we are planning to use Acegi for
Authorization, because of a complex authorization requirement (before and
after the business logic executes). I think we can use Acegi in EJB context
without a servlet session, but we will see. But as far as I can see from the
documentation Acegi seems to use ThreadLocal for storing the
username/password ;-) Maybe I am wrong, here.
 
My prefered approach at the moment is a LoginModule and the JAAS security
for authentication and Acegi for authorization. My first test was
successfull, but there is still a lot to-do.
 
Regards,
Bernhard

-----Urspr√ľngliche Nachricht-----
Von: robert lazarski [mailto:robertlazarski@gmail.com]
Gesendet: Donnerstag, 4. Mai 2006 16:51
An: axis-user@ws.apache.org
Betreff: Re: Axis/EJB/Security


Keep in mind JBoss uses a version of Axis 1.2 that they themselves have
modified for there own puposes. MessageContext in 1.2 typically can be
accessed via a static method. 

See the rest of my comments inline:


On 5/4/06, Kraus, Bernhard < bernhard.kraus@fiz-karlsruhe.de
<mailto:bernhard.kraus@fiz-karlsruhe.de> > wrote: 

Hi all,

I am using Axis (1.2) to expose a Stateless Session EJB (2.1) as Webservice
using the Axis EJBProvider on a JBoss (4.0.3) Application Server.
The Webservices and EJB are the service layer of the application and the 
next layer (POJO framework) is the business layer.
The plan for the security framework is to handle the authorization using AOP
before and after the business layer, but to avoid using username/password as

parameter in the business/service layer code.


This is typically done in a  Handler, right?  You can use a generic one like
javax.xml.rpc.handler.Handler. The AOP / security framework I know best is
Spring's acegi. The last I looked, acegi needs a servlet session and didn't
have anything for web services. You could, however, wire Spring into you
Handler. Anyways, a Handler I think in some form fits you needs. 



I tried using the XML RPC security implementation on client side:
import javax.xml.rpc.Stub ;
Stub msg = (javax.xml.rpc.Stub) stub;
msg._setProperty(Stub.USERNAME_PROPERTY,"username");
msg._setProperty(Stub.PASSWORD_PROPERTY,"password");

The Axis framework EJBProvider fills the user information as described from 
the msgContext:
Implementation is similar to:
...
props.put( Context.SECURITY_PRINCIPAL, msgContext.getUsername() );
props.put( Context.SECURITY_CREDENTIALS, msgContext.getPassword() );
InitialContext initialContext = new InitialContext( props ); 
...
When accessing the EJB, the user principal is "anonymous" (default JBoss
setting).

I debugged the EJBProvider and username/password is filled from the
msgContext. The problem is to provide the username/password from Axis to EJB

Now how can I access the Context in the EJB layer? I implemented a
LoginHandler (using: org.jboss.security.auth.spi.AbstractServerLoginModule)
but the principal and credential is still "null" even here. 

Is there any other option to access the information passed to EJB and write
them e.g. to ThreadLocal to access them from the business logic?



You could use ThreadLocal if you don't need remoting on these vars. You
might be able to use MessageContext.setProperty and such which would be
simpler. Worth mentioning also is JBossCache. 

One note: I planned a similair approach on a project last year, but scrapped
in in favor of using container managed security and just passing the
username / password in a login service, and just passing back a String
generated from EJBObject as sort of a token. 

HTH,
Robert
http://www.braziloutsource.com/ <http://www.braziloutsource.com/> 



Regards,

Bernhard




Mime
View raw message