axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wadi wadi <>
Subject User authentication questions
Date Thu, 17 Feb 2011 15:12:23 GMT
Hi axis users,

I am a beginner to axis2 and working on an application that requires user
My case study is a bit different than examples that come with Rampart
module, and would probably need to combine many things. Your help and
comments are greatly appreciated especially in pointing out how to avoid
security holes.

The scenario is the following:
1)  A user through a client application will enter his/her
2)  The service will check those credentials based on a ''custom database''
set at the service side and not on a hard coded password.
3)  If the authentication is successful, the service then creates a session
with a timeout  that will allow the user to continue calling other
webservice's methods without sending the username/password again and for the
session lifetime.

I checked session management in axis2, usernameToken sample that comes with
the Rampart module and can use those two to build the application. Also, the
application will definitely create tokens for clients to authenticate within
the session with no need to enter the username/password again.
1) do you know of any standard way to create session tokens in axis2 or
should it be custom coding.
2) if a usernameToken with a digest password is used, is the communication
between the service and the client secure enough?
3) do you know of any similar application code that can be used as a
starting point?

Thank you for your help!

View raw message