RE: SOAP and security

Shinta Tjio Tue, 24 Jul 2001 13:28:19 -0700
Irfan,
Please see the Apache SOAP 2.2 Documentation - User's Guide:
 http://xml.apache.org/soap/docs/guide/index.html
on the subject of "Writing Provider". This documentation 
describes what is a provider.

You can write a provider that intercepts a SOAP request and
performs things like authentication/authorization before
the the webservice method is called.

I don't know exactly how to obtain the client certificate,
from inside a Provider, if this is SSL certificate you're 
talking about. I am using the Provider in an environment 
where only the server presents an SSL certificate, and 
the client doesn't have any certificate. 

thanks,
shinta

> I saw your posting on the archives regarding security in SOAP.  I had
a few
> questions about it. This is the problem Im trying to solve. Im trying
to set
> up security around a web service by using SSL using client auth. I
would
> like to also obtain the client certificate in the webservice method so
that
> I can extract the public key from it.  But as far as the web service
is
> concerned there is no way it knows anything about the remote call and
the
> client attributes.  How would you think I could get access to it (the
client
> certificate).  Also in SOAP 2.2 there is the Provider class (which can
be
> specified while deploying a service) for which you also sent code for.
> Whats the purpose of the Provider class and how could i leverage the
code
> you sent to obtain what I want.
>
> Heres the snippet of code you had posted
> 
> public class myProvider extends RPCJavaProvider {
> 
>   public void invoke(SOAPContext reqContext, SOAPContext resContext)
>                     throws SOAPException {
> 
>     HttpServletRequest req = (HttpServletRequest)
>
reqContext.getProperty(Constants.BAG_HTTPSERVLETREQUEST);
> 
>     // perform authentication here, check userId & password
> 
>     // invoke the method on the target object
>     try {
>       Response resp = RPCRouter.invoke( dd, call, targetObject,
>                                                  reqContext,
>                                                  resContext );
>       Envelope env = resp.buildEnvelope();
>       StringWriter  sw = new StringWriter();
>       env.marshall( sw, call.getSOAPMappingRegistry(), resContext );
>       resContext.setRootPart( sw.toString(),
>                               Constants.HEADERVAL_CONTENT_TYPE_UTF8);
>     }
>     catch( Exception e ) {
>       if ( e instanceof SOAPException ) throw (SOAPException ) e ;
>       throw new SOAPException( Constants.FAULT_CODE_SERVER, 
>                                e.toString());
>     }
>   };
> 
> }
>
RE: SOAP and security

Reply via email to
