Hi,
Maybe your web service is using a SOAP binding over HTTP (that's true in most cases). If you know about HTTP, it supports some way of authentification (Basic, Digest...). Axis frontend is usually a servlet so you can configure your J2EE container (WebSphere in your case) to protect that resource (the URI the servlet is mapped on) using some way of the above HTTP authentification mechanisms.
You could also use SOAP over HTTPS, so you will get encryption features to your web services. Maybe your J2EE container also support 2-way authentification using HTTPS, but your clients will have to install their own certificate. You can also use HTTPS to protect your Basic HTTP authentification user/password pair from sniffers.
This way you can identify the user, and avoid unauthorized users to run a certain web service by not allowing to run the servlet, but not to avoid certain users/roles to run a specific method. That could be accomplished adding security tests at the method level in the implementation class and throwing a SecurityException or so when the user/role has not permission. A declarative way for doing that would be nice.
What about implementing an axis handler to check for permissions for each input message? Is it possible to identify the operation in course and then check in the system (J2EE container) realm for permissions to execute the operation by the current authentificated user? Maybe the deployment descriptor for axis could hold the security constraints. Hum... checking the API docs of axis I found it was already implemented. Check out:
http://ws.apache.org/axis/java/apiDocs/org/apache/axis/handlers/SimpleAuthorizationHandler.html
its source code and the docs/examples/mailinglist-archive for info about how to add/configure a handler.
Finally there is some interesting documentation about axis and security at http://ws.apache.org/axis/java/security.html
Cheers,
Adrian P.J.
Vikas Phonsa wrote:
Hi Everybody,
I’m trying to develop a B2B web service (for the first time) and am looking for some direction regarding security and authentication mechanisms that could be used with web services in Axis (in web sphere 5.1 environment).
Coding a user name and password in a soap message seems kind of a raw approach.
I would like to know what others are using. Since the service would be exposed on the internet, the chief aims would be
1. To avoid flooding of the server with bogus requests 2. Credential Authentication or maybe method level authentication ( I won’t be using EJBs ) 3. Anything that I can’t think of.
And I would be deploying this web service in web sphere 5.1 environment.
I would appreciate if someone could show direction.
Thanks in advance.
Thanks
Vikas
