• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

web service security with Axis

 
Ranch Hand
Posts: 311
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I'd greatly appreciate advice on the following.
In short: what do you do when a web-service requires clients to login (supplying user + password), *but* the server/web-app can't be configured to use basic web authentication ?

We have an Axis web service, which requires login (namely, clients connecting to the web service must supply user + password ) .

Now, normally this should be handled by the servlet-container (configure "web.xml" to use "Basic Web Authentication", and put Security Constraints on the web-service URL ).

*Unfortunately*, we can't take this approach, since our web-application is already using *Form-Based* login (namely: the same web-application that contains our Axis servlet, also contains other modules - such as JSP pages - that rely on form-based login).

Any recommendations for this situation ? We are considering solutions, such as:
1) A filter to intercept requests to the web-service, and check for user credentials.
2) Passing user + password on applicative level, as additional method parameters (we use HTTPS, so passwords can be transmitted safely).
3)
Those this make sense ? Or is there some feature build into Axis that could help ?

Thanks a lot.
 
Ranch Hand
Posts: 548
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
please take a look at WS Token specification and its implementation using various WS Security spec. implementation frameworks like Apache WSS4J, IBM XSS, VeriSign TSIK. Again you have choices here ...
 
Sol Mayer-Orn
Ranch Hand
Posts: 311
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks very much. I was not aware of this.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic