What we have done is implement Axis/JAX-RPC client and server side handlers. The client side handler attaches a credential in the HTTP header ("Authorization" heaer), and the server side handler authenticates it, and makes the user id available in both the 1) MessageContext in AuthenticatedUser axis object (I believe) and also in 2) getRemoteUser() of the servletrequest (using a servletrequest wrapper). You can get configure and get parameters into the server side handler through the server side deployment descriptor (wsdd). You can get configuration parameters into your client-side handler by dynamically registering it with a handlerinfo and Map with params, and runtime parameters by using _setProperty on the stub object (i think). The stub properties get propagated to the MessageContext of the client handler (this is true at least in 1.1, but not in 1.0).
We went this way because it doesn't seem like WSSE is fully cooked (or at least fully implemented and easy to use).
I also tried using SOAP headers in the envelope themselves (instead of out of band HTTP headers), but could not retrieve them in the server side handler for some reason, so I gave up on that.
The whole thing can be thrown over SSL so that should provide your on-wire safety.
Aaron Hamid CIT/I&D Cornell University
Rudi Verago [vlain] wrote:
I need user/call authentication in a swing application. Beginnig I want to use SAML and SSO but opensaml implementation has no documentation and samples, then I try XACML but nothing; same thing for xml security at Apache: without sample it's hard. Axis auth methods aren't safe. Now I try to implement JAAS real on tomcat and ssl connection. Is it the "simple" only solution? Thanks,
~~~~~~~~~~~~~~~ Rudi Verago [vLAiN] [EMAIL PROTECTED] ~~~~~~~~~~~~~~~
