geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Basic Auth passwords in webservices
Date Wed, 31 Oct 2007 21:34:36 GMT

On Oct 31, 2007, at 9:37 AM, Neerup wrote:

>
> Hi...
>
> I'm creating webservices withe JAX-WS and deploying them to a  
> Geronimo2
> server..
> These webservices need a name and a password for calling som  
> business logic.
>
> Today i'm just making the 2 first parameters user and password, and  
> this
> works, but not a very pretty interface for at webservice, so I want  
> to use
> Basic Auth.
>
> I can configure this by creating a Custom LoginModule and  
> Principals and use
> them.. and this works.
> But I still need the password for my business logic.

I'm curious as to why.  This is AFAIK rather unusual.  If you need to  
propagate the credentials from the caller on to some other service  
you call that may well be possible without involving your business  
logic.
>
> How do I get the password from the basic auth for my businesslogic  
> in my
> webservices ?

You need to

1. put the password into the Subject as a private credential.  We  
have a couple ways to do this such as the  
org.apache.geronimo.security.jaas.NamedUPCredentialLoginModule or if  
you are sure you will never supply other credentials the  
org.apache.geronimo.security.jaas.UPCredentialLoginModule.  We have  
some stuff set up so you can specify a  
NamedUsernamePasswordCredential by name from the Subject when you  
call a further web service.

2. in your code that needs the credentials, get the subject by  
calling (Subject)javax.security.jacc.PolicyContext.getContext 
("javax.security.auth.Subject.container"); and looking in the private  
credentials for the one installed by the login module.

> I tried using the @Resource with WebserviceContext but a call to
> context.getUserPrincipel() just returnes a JAASTomcatPrincipal not  
> my own
> Custom Principal so no password :(
>
> Is there any way I can deploy the Custom LoginModule jar within the  
> war/ear?

that should work without problems, what is happening that you ask?

thanks
david jencks

>
> Can anybody help me ?
>
>
>
>
> Current config:
>
> web.xml:
> ...
> <security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>Protected</web-resource-name>
> 			<url-pattern>/*</url-pattern>
> 			 <http-method>GET</http-method>
> 			<http-method>POST</http-method>
> 		</web-resource-collection>
> 		<auth-constraint>
> 			<role-name>manager</role-name>
> 		</auth-constraint>
> 	</security-constraint>
> 	
> 	<login-config>
> 		<auth-method>BASIC</auth-method>
> 		<realm-name>thn</realm-name>
> 	</login-config>
> ...
>
> Geronimo-web.xml:
> ...
> 	<security-realm-name>thn</security-realm-name>
>     <security>
>         <default-principal realm-name="thn">
>             <principal class="dk.eg.login.MyPrincipal" name="nobody"/>
>         </default-principal>
>         <role-mappings>
>             <role role-name="manager">
>                 <realm realm-name="thn">
>                   <!--<principal class="dk.eg.login.MyPrincipal"
> name="system" designated-run-as="true"/> -->
>                   <principal class="dk.eg.login.MyGroupPrincipal"
> name="manager" designated-run-as="true"/>
>                 </realm>
>             </role>
>         </role-mappings>
>     </security>
> ...
>
> Geronimo-application.xml:
>   <dep:gbean name="ttt"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType"
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>         <dep:attribute name="realmName">thn</dep:attribute>
>         <dep:reference name="ServerInfo">
>             <dep:name>ServerInfo</dep:name>
>         </dep:reference>
>         <dep:xml-reference name="LoginModuleConfiguration">
>             <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>                 <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>                     <log:login-domain-name>thn</log:login-domain-name>
>
> <log:login-module-class>dk.eg.login.MyLoginModule</log:login-module- 
> class>
>                 </log:login-module>
>             </log:login-config>
>         </dep:xml-reference>
>     </dep:gbean>
>
>
> -- 
> View this message in context: http://www.nabble.com/Basic-Auth- 
> passwords-in-webservices-tf4726213s134.html#a13513287
> Sent from the Apache Geronimo - Users mailing list archive at  
> Nabble.com.
>


Mime
View raw message