Thanks Dr. Jung,
It's really nice when things actually work as advertised. The problem
that I was having was not with the XDoclet descriptors, or with any
part of my build pipeline, it was actually the client that I was
attempting to access the web service with. I first tried a simple
Microsoft .NET client, and when I added tcpmon into the mix, I found
it was not sending any basic auth information. So of course it was
getting denied access.
So, this morning I used the wsdl2java tool that comes with AXIS to
generate the classes for the wsdl interface, and then I wrote a
little bit of code, something like the following, based off the
output to access the web service:
public static void main(String[] args) {
try {
TestSessionLocalServiceLocator locator = new
TestSessionLocalServiceLocator();
TestSessionLocal ts = locator.getLIMS();
LIMSSoapBindingStub stub = (LIMSSoapBindingStub)ts;
stub.setUsername("admin");
stub.setPassword("admin");
System.err.println(ts.hello("Testing"));
ts.testThisThing();
} catch (Throwable ex) {
ex.printStackTrace();
}
}
And when I watched this through tcpmon I was able to clearly see that
the basic-auth information was being sent, and my method call found
its way down into the EJB session. Very nice.
I even tried experimenting with changing the authentication XDoclet
tags and found that really what you've done is added another layer of
security for web services such that unauthorized users will be
bounced even before the EJB layer is called if their role doesn't
match.
I guess I'll make some updates to the information on
http://www.nsdev.org/jboss to get the security information straight
there. Thanks for your help.
-Neal
On Wednesday 26 February 2003 04:56 am, Jung , Dr. Christoph wrote:
> Hi Neal,
>
> since Axis http-transport is realised through a single servlet,
> every security constraint that
> you would like specify at the transport level must go into the
> global web-application.xml that comes with the
> jboss-net.sar!jboss-net.war
>
> Since that is not very modular and since you would normally
> correctly shield your underlying J2EE logic, we decided to let the
> transport level open at this point.
>
> Instead, we included a (simple) per-web-service way of
> authentication and authorization through dedicated Axis
> interceptors
> (JBossAuthenticationHandler and JBossAuthorizationHandler,
> respectively).
>
> These interceptors should be put into the transport chain of your
> web service (I guess that the xdoclet module will do that
> automatically for you). They are paramterized, e.g., against a
> preconfigured JBoss security domain using SimplePrincipal.
>
> JBossAuthenticationHandler will authenticate the incoming call
> versus the assocoiated domain with the basic authentication info
> that comes through the http call (null Principal in case of no
> authentication info). With that security association the call will
> go further into the EJB layer of your application.
>
> Optionally, you can do additional security checks using
> JBossAuthorizationHandler that will simply implement an
> allowed/denied behaviour depending on the associated principals.
>
> I can only refer to the jboss.net testsuite in which there is a
> whole chapter dedicated to that issue.
>
> CGJ
>
> -----Ursprüngliche Nachricht-----
> Von: Neal Sanche [mailto:[EMAIL PROTECTED]
> Gesendet: Mittwoch, 26. Februar 2003 00:45
> An: [EMAIL PROTECTED]
> Betreff: [JBoss-user] Confused about Web Service Security...
>
>
> Hi All,
>
> Now that I have a simple web service running with JBoss.NET I'm now
> trying to enable access to a web service method that's secured by
> principals and roles within my EJB application. I'm completely
> confused about how to accomplish this on JBoss. Do I need to set up
> a security-constraint in my web.xml for this? So far, nothing that
> I've tried has sent a username and password from my client
> application to my web service. If anyone is doing this, please let
> me know how it's done. I'll post the findings up on my website as a
> future reference.
>
> -Neal
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________ JBoss-user mailing
> list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-user
> ###########################################
>
> This message has been scanned by F-Secure Anti-Virus for Microsoft
> Exchange. For more information, connect to http://www.F-Secure.com/
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive
> scholarships. Get hands-on training in Microsoft, Cisco, Sun,
> Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-user
-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
