Hello David, Thanks for your Response. It runs with the following constellation: 1. Create an own Securityrealm called myRealm 2. using myRealm in geronimo-web.xml 3. Using LoginContext and a custom CallbackHandler which knows the required username and password MyCallbackHandler handler = new MyCallbackHandler(); handler.setUsername( req.getUser() ); handler.setPassword( req.getPass() ); LoginContext loginCtx = new LoginContext("myRealm", handler); loginCtx.login(); Subject s = loginCtx.getSubject(); Set principals = s.getPrincipals(); This works fine. But I am wondering about the rolemapping part in geronimo-web.xml. I expected, that the principal “users”, defined in myRealms Database would be mapped to “test1” (See the end of my text for geronimo-web.xml). The GroupPrincipal of the Subject is named users and not test1, as I expected. Does this mechanism only works in combination with security configuration in web.xml? Or is an error in my Configuration? security part in geronimo-web.xml myrealm

Regards and thanks a lot!! Jochen > -----Ursprüngliche Nachricht----- > Von: "David Jencks" > Gesendet: 08.01.09 00:37:51 > An: user@geronimo.apache.org > Betreff: Re: Security and WebServices > > On Jan 7, 2009, at 5:03 AM, Jochen Zink wrote: > > > Hello, > > > > I want to use geronimos securitysystem together with a JAX-WS 2.1 > > WebService (WAR-File). > > > > My vision ;): > > - standard security configuration: all URLs like /services/* are > > secure > > - Using a standard LoginModule (A Geronimo one or a self written for > > BinarySecurityTokens) > > > > Is it possible to secure a WebService with the standard > > Securitymechanism or must the application handle the ws-security > > header? If the application has to handle it, is it possible to get > > access to a LoginModule and how does this work? > > Can i check that you want to send the credentials inside the xml > message? At the moment we don't have any support for that. In the > future it may be possible to handle this with a JASPI authentication > module. > > You can get the credentials yourself and log in to a JAAS realm using > org.apache.geronimo.security.ContextManager.login(realmName, > callbackHandler) where realmName is the name of a security realm > you've set up in geronimo and callbackHandler is a callback handler > you've stuffed the credentials into. This will log in and install the > user in the geronimo security framework. However if your code to do > this is in the application (such as a filter or servlet) you can't use > javaee web security constraints because they will have already been > evaluated by the time control gets to your auth code. You ought to be > able to use javaee ejb security with the logged in Subject although I > haven't tested this for problems I haven't thought of. > > hope this helps. please supply more details if appropriate. I'm > running into several similar situations recently and more info on what > people would like to be able to do would be great to figure out how to > support this. > > thanks > david jencks > > > > > > > Thanks a lot! > > Regards > > Jochen > > > > __________________________________________________________________ > > Deutschlands größte Online-Videothek schenkt Ihnen 12.000 Videos!* > > http://entertainment.web.de/de/entertainment/maxdome/index.html > > > > ____________________________________________________________________ Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123