tuscany-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wiedenbruch, Alexander" <Alexander.Wiedenbr...@iml.fraunhofer.de>
Subject Policy and security subject
Date Tue, 09 Jun 2009 11:22:26 GMT


we are using Tuscany with WS-Bindings successfully in a research


Currently, we are evaluating the Policy-Framework in Tuscany to secure
the data exchange over these Web-Services.


We have two requirements:

a) Web-Services should only be invoked by authenticated users

b) Results of the Web-Service call depend on the user that called the


Part a) is already implemented with the Callback-Method.

Part b) is problematic because
ComponentContext.getRequestContext().getSecuritySubject() returns always
null and we see no other way to detect which user called the method by
using the SCA API. This happens with UsernameToken and JAAS


Our investigation showed that getSecuritySubject() reads the Subject
from the message header,

but in Axis2ServiceProvider.fillQoSContext() only the Principal gets


WSSecurityEngineResult securityResult =

if ( securityResult.get("principal") != null ) {




We would like to know if this bug is known or if other solutions for our
problem are existing.


Thanks in advance

A. Wiedenbruch

View raw message