Not sure if this fits your requirements, but if you want to use HTTP Basic
Authentication **without** having the servlet container manage it for you, try
using:
org.apache.axis.handlers.http.HttpAuthHandler
This class strips out the user name and password from the HTTP Headers
and sets the username and password on the context. Then, you would need to
setup another handler to actually authenticate and authorize the user as Thomas
stated. So your requestFlow would look like this:
<requestFlow name="UserAuth">
<handler type="java:org.apache.axis.handlers.http.HttpAuthHandler"/>
<handler type="java:my.own.AuthenticationHandler"/>
<handler type="java:my.own.AuthorizationHandler"/>
</requestFlow>
Al
Quoting "THOMAS, JAI [AG-Contractor/1000]" <[EMAIL PROTECTED]>:
> There are couple of approaches you can take, but here's what I would do.
>
> - Implement an Authentication handler and Authorization handler extending
> BasicHandler
> These handlers would directly invoke your authentication/authorization
> methods and validate credentials.
>
> - Set authenticated user context in servlet request/context if your business
> components need it.
>
> - Defile these handlers in wsdd request flow inside your service section.
> e.g.
> <requestFlow name="UserAuth">
> <handler type="java:my.own.AuthenticationHandler"/>
> <handler type="java:my.own.AuthorizationHandler"/>
> </requestFlow>
>
> - Client should supply credentials in message header. In the case of Axis
> clients, it would be something like:
>
> b
>
>
> Hope it helps.
>
>
>
> Jai
>
> -----Original Message-----
> From: sol myr [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 17, 2005 5:28 AM
> To: [EMAIL PROTECTED]
> Subject: Axis security, when web-app can't use Basic Web Authentication
>
>
>
> Hi ,
>
> I'd greatly appreciate advice on the following.
> In short: what do you do when a web-service requires clients to login
> (supplying user + password), *but* the server/web-app can't be configured to
> use basic web authentication ?
>
> We have an Axis web service, which requires login (namely, clients connecting
> to the web service must supply user + password ) .
>
> Now, normally this should be handled by the servlet-container (configure
> "web.xml" to use "Basic Web Authentication", and put Security Constraints on
> the web-service URL ).
>
> *Unfortunately*, we can't take this approach, since our web-application is
> already using *Form-Based* login (namely: the same web-application that
> contains our Axis servlet, also contains other modules - such as JSP pages -
> that rely on form-based login).
>
> Any recommendations for this situation ? We are considering solutions, such
> as:
> 1) A filter to intercept requests to the web-service, and check for user
> credentials.
> 2) Passing user + password on applicative level, as additional method
> parameters (we use HTTPS, so passwords can be transmitted safely).
>
> Those this make sense ? Or is there some feature build into Axis that could
> help ?
> Thanks very much.
>
>
>
>
>
> _____
>
> Do you Yahoo!?
> Meet the all-new My Yahoo! <http://my.yahoo.com> - Try it today!
>
>
