That helped a lot thanks but could the parameters of
<parameter name="allowedRoles" value="user1"/>
be stored in a MySQL database?
-----Original Message-----
From: Adrian Perez Jorge [mailto:[EMAIL PROTECTED]
Sent: 24 November 2004 13:33
To: [EMAIL PROTECTED]
Subject: Re: Axis and authenication
Suzy Fynes wrote:
>
>
>
>
> Is there a better way of authenticating a user to access an axis WS
> other than using the permission list? If there were 100s of users what
> needs to be done?
>
>
>
> Thanks
>
> Suzy
>
I suppose your axis WS is using
org.apache.axis.security.simple.SimpleSecurityProvider as the security
provider. That simple provider just look up users in a user.lst file.
For a production enviroment of 100s of users I recommend you:
- to use org.apache.axis.security.servlet.ServletSecurityProvider if
your servlet container has already the right mechanism to handle that
amount of users; for example many servlet containers are able to talk to
a LDAP server, a NT domain, a JDBC database, etc. This is the best
approach if your J2EE application users are the same than your web
services users.
- to create your own security provider, just implementing
org.apache.axis.security.SecurityProvider (and also AuthenticatedUser),
which for example query a LDAP server, a JDBC database or whatever you
want.
It seemd <requestFlow/> is the tag to be used to add the
authentication handler, for example:
...
<service name="WebserviceName1" provider="java:RPC">
<parameter name="className"
value="HelloWebservice"/>
<parameter name="allowedMethods" value="getHello"/>
<parameter name="allowedRoles" value="user1"/>
<requestFlow name="authorizationFlow">
<handler
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<handler
type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
</requestFlow>
...
Hope that helped,
Adrian P.J.
