WebServices and J2EE security

Hi all,
I've got a generic question here, and maybe some of you already experienced it.
I did not have the opportunity yet to read about J2EE security (actually I won a book here on that subject 2 months ago but still waiting to receive it), so please don't bash me if my questions are silly.
I have some webServices acting as a facade to a J2EE aplication.
Application's security is done via the container (J2EE, declarative)
Once the WebService is called, is there a way to "give" the container some credentials, in order to let it deals with the authorization stuffs, according to roles associated to my EJB methods. ??
Or is this something only a J2EE 1.4 App. Server will be able to do with Java ACC (JSR 115) ?
Kyle, your advices are welcome here (as usual) as my App Server is Websphere 5

Nobody here ?
Come on Bill, Lasse, HS, Kyle or anyone out there !
Shoul my question be posted somewhere else. Maybe the J2EE thread is more appropriate
[ May 27, 2003: Message edited by: Jean-Louis Marechaux ]

You should try the Security forum. Unfortunately I find myself unable to give advice about the subject.

Hi ,
I guess you are looking for a solution that provides seamless access to components the right level of security, and want to avoid anything that will be a frequent support problem .
Don't know anything about J2EE 1.4 App Servers but but I'm surmising that the responsibility lies with the component deployer, so there should be a J2EE equivalent(within the jacc ?) to set permissions at runtime.
Good question. I hadn't thought of this issue. Could be contentious.The following may help.
Looks as though it's up to your policy provider.

The J2EE Servlet and EJB containers serve as an authorization boundary between callers and container-hosted components. When a container receives a request for a component, it determines if the caller has been granted permission to perform the request on the component. Both the Servlet and EJB APIs also provide an interface for a component to ask its container if its caller has been granted the permissions that correspond to an identified role.
The J2SE security architecture provides a fine-grained access control mechanism based on a policy-driven permission model.
For the J2SE reference implementation, the policy is represented external to the Java runtime using a simple syntax that grants permissions to authenticated entities. Authenticated entities are modeled by the java.security.CodeSource class and classes that implement the java.securityPrincipal interface.
The java.security.Policy class defines methods that are implemented by a policy provider. It is the role of the policy provider to map the external security policy to the collections of permissions granted to authenticated entities.

Any help ?

I have some webServices acting as a facade to a J2EE aplication.

May also depend on who is calling who ? A J2EE application can call a Web Service component(who'll presumably be the policy provider in this case).
In your example the policy provider may be centred around the J2EE application.
Yes, but HOW I hear you ask. Sorry , don't know.
regards
[ May 28, 2003: Message edited by: HS Thomas ]

To be able to let the container deals with the security stuff (authorization), the caller has to be authenticated. When the caller in a web application, this can be done using "j_security_check" from a jsp form.
But when the caller is a webService, I need a hook to perform authentication using the J2EE container.
And I'm not sure whether this is possible or if I have to forget container-managed security....
I wonder if this "hook" is available with J2EE 1.3 app server or if it is what JACC is all about (J2EE 1.4)

This is automatic in WebSphere 5 (but only with the Web Services Technology Preview) through our WS-Security support.
However, even without the Web Service Tech Preview, if you secure your Web Services servlet (the router servlet) and use basic HTTP authorization (which M$, JAX-RPC, Apache SOAP, Axis and every other toolkit supports) then the credentials will be passed through correctly.
Kyle

Thanks a lot Kyle,
As a matter of fact, it came to me that WebServices are "just" a servlet.
So securing the servlet (rpcrouter in my case) should theorically work. Not tested it yet with WebSphere 5.
[ June 02, 2003: Message edited by: Jean-Louis Marechaux ]