tuscany-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wiedenbruch, Alexander" <Alexander.Wiedenbr...@iml.fraunhofer.de>
Subject Policy and security subject
Date Tue, 09 Jun 2009 11:22:26 GMT
Hello,

 

we are using Tuscany with WS-Bindings successfully in a research
project.

 

Currently, we are evaluating the Policy-Framework in Tuscany to secure
the data exchange over these Web-Services.

 

We have two requirements:

a) Web-Services should only be invoked by authenticated users

b) Results of the Web-Service call depend on the user that called the
Web-Service

 

Part a) is already implemented with the Callback-Method.

Part b) is problematic because
ComponentContext.getRequestContext().getSecuritySubject() returns always
null and we see no other way to detect which user called the method by
using the SCA API. This happens with UsernameToken and JAAS
authentication.

 

Our investigation showed that getSecuritySubject() reads the Subject
from the message header,

but in Axis2ServiceProvider.fillQoSContext() only the Principal gets
written.

 

WSSecurityEngineResult securityResult =
(WSSecurityEngineResult)wshr.getResults().elementAt(count2);

if ( securityResult.get("principal") != null ) {

 
message.getHeaders().add(securityResult.get("principal"));

}

 

We would like to know if this bug is known or if other solutions for our
problem are existing.

 

Thanks in advance

A. Wiedenbruch


Mime
View raw message