There's an implementation of WS-Security's UserNameToken Profile and X509Profile at http://wss4j.sf.net/ (get the code using anoncvs access)
-- dims --- Aaron Hamid <[EMAIL PROTECTED]> wrote: > You'll have to get some real developers to answer on that, but the > only support I've seen is for basic auth. That's not the fault of > Axis - the last I checked WS-Security was far from done and in general > security for web services has not been finalized. You can of course > build security at the web service level but you will probably need to > be sure to do it over SSL so it is secure. > > Aaron > > Tony Vieitez wrote: > > > Thanks for the help Aaron. Would it be correct to say that the only form > > of supported security for web applications that is part of the axis > > implementation is for servlet container security of the type that I have > > described in my original message? > > > > -----Original Message----- > > From: Aaron Hamid [mailto:[EMAIL PROTECTED] > > Sent: 04 December 2003 13:20 > > To: [EMAIL PROTECTED] > > Subject: Re: Authentication - Could anyone help me plzzzzzzz > > > > I can't answer why the admin app would be failing. But if you want > > application-level security you are basically on your own. You can try > > to use the ws-security package, or simply build client and server > > handlers which know how to generate and decode your form of > > authentication (in my case, I have a client and server handler that > > generate and decode a modified form of a Kerberos ticket). Once you > > do that, either populate the AuthenticatedUser Axis object, or > > override the HttpServletRequest (if you are running in a servlet > > container) with a HttpServletRequestWrapper that provides the decoded > > remote user through getRemoteUser(). > > > > Aaron > > > > Tony Vieitez wrote: > > > > > >> > >>OK, so if you have a container managed username and password protected > > > > > >>web service, and the client classes are generated from the wsdl, if > > > > the > > > >>person implementing the client code knows the usernmame and password, > >>what would be the code for implementing access to the web service? > >> > >> > >> > >>Also, if anyone knows any articles on axis authentication/security, I > >>would appreciate info on this > >> > >> > >> > >>Thanks > >> > >> > >> > >>Tony > >> > >> > >> > >>-----Original Message----- > >>*From:* Harald Pollak [mailto:[EMAIL PROTECTED] > >>*Sent:* 04 December 2003 12:59 > >>*To:* [EMAIL PROTECTED] > >>*Subject:* Re: Authentication - Could anyone help me plzzzzzzz > >> > >> > >> > >>as i have understood: > >> > >>The handler is a thing befor the WS ( not part of it ) and the WSDL > >>describe the WS - so elements only used in handler shouldn't and > >>couldn't be described in Webservice, so you can only tell your opposit > > > > > >>what to do in document the webservice in hardware ways ( email, > > > > letters, > > > >>tell him ... ). > >> > >>best regards > >>Harry > >> > >>Am Don, den 04.12.2003 schrieb Yogesh Pant um 13:49: > >> > >>/ Hello ppl, > >>I have got a custom authentication handler. It authenticates the > >>incoming message very well. > >> > >>My problem is that the generated wsdl has no mention of header > > > > elements > > > >>at all. HOW DO I ACHIEVE THIS? > >> > >>Do I need to configure the deployment descriptor a little bit more? > >> > >>Please help. > >> > >>Thanks in advance. > >> > >>regards, > >>- yogesh > >> > >> > >> > >> > >> > >> > >>*Sunil Iyengar <[EMAIL PROTECTED]>* wrote: / > >> > >>/ Hi Tony, > >>If you wanted to use application level security, maybe try using > >>ws-security (encryption and signatures) using handlers in axis. You > > > > will > > > >>find quite a few links on > >>this in the axis mailing list. > >>You may have to design the authentication protocol and then implement > > > > this > > > >>using ws-security. > >>Hope this helps :) > >> > >>Cheers > >>Sunny > >> > >>*********************************************************** > >>Sunil Iyengar, > >>Research Fellow, Networks Group, > >>Centre For Communication And Systems Research(CCSR), > >>School of Electronics, Computing & Mathematics, > >>University Of Surrey, Guildford GU2 7XH, > >>Surrey, England, United Kingdom. > >>Office: +44 (0)1483 686008 > >>*********************************************************** > >> > >>On Thu, 4 Dec 2003, Tony Vieitez wrote: > >> > >> > >>> Hi > >>> > >>> I asked a question on this subject recently, but I don't think I > > > > asked > > > >>> it clearly enough, because the answers I got back, although helpful, > >>> didn't quite give me the answer I was after. Now I understand a bit > > > > more > > > >>> about authentication I can (hopefully) formulate my question a bit > > > > more > > > >>> clearly. In fact, I have a number of questions which revolve around > > > > the > > > >>> same subject: > >>> > >>> 1. I have implemented container level authentication, and have given > > > > the > > > >>> client application access to the web service by implementing in this > >>> client the following code: > >>> > >>> call.setUsername("myUsername"); > >>> call.setPassword("myPassword"); > >>> > >>> This works fine. But how do I implement application level security, > >>> instead of just relying on the web container to authenticate the > > > > calling > > > >>> client? > >>> > >>> 2. As stated above, I have implemented container level > > > > authentication > > > >>> for the whole of the axis web app, and now I want to use the Axis > >>> Servlet to administer the system, I have to provide a username and > >>> password but I get an unauthorised error. Here is what I did: > >>> > >>> At the command prompt I tried: > >>> java org.apache.axis.client.AdminClient -l > >>> http://myserver:8080/axis/servlet/AxisServlet list > >>> > >>> I also tried: > >>> java org.apache.axis.client.AdminClient -l > >>> http://myserver:8080/axis/servlet/AxisServlet -u myUsername -p > >>> myPassword list > === message truncated === ===== Davanum Srinivas - http://webservices.apache.org/~dims/
