Axis + WSS4J, one time authentication?

Hi folks, I'm somewhat new to web services and particularly WSS4J and I'm having a problem with an implementation. It's probably best if I first explain what I'm attempting to do:

A user will supply a username and password, and this will be authenticated on the web service server. However once authenticated I want the web service to supply what is essentially a 'session' token, which the user can use to access the services. The 'session' token will either be sent as a function parameter in each request, or maybe as the username in the SOAP header (without an accompanying password).

My problem is that WSS4J Callback class wants to authenticate each individual request with a username/password, whereas I only want this to occur once at the beginning of a session. At least as far as I can tell.

Is there any way I can implement the above scenario using WSS4J?

Welcome to JavaRanch.

It's one of the best practices of WS not to implement sessions, but instead to send all required information, including authentication, with each request. But since the client is most likely an automated process (and not a user typing in authentication information again and again), this shouldn't be a problem.

If sessions are still the way to go, then you need to use a callback that is configured not to require WS-Sec authentication (i.e., a different callback than is used for the login call).

Hi Alan,

You can use Apache Axis' sessions. I believe the following flow will work:

In first logon, there will be no session token, you can check it in the authentication callback and try to authenticate the user. In subsequent calls, the auth. callback will notice the occurence of the session token and you can skip the authentication, guaranteeing that the user is authenticated.

Hope this helps,
Daniel

Thanks for the welcomes.

Ulf, how might I go about piping off requests to different handlers? Would I have to implement a separate request/response handler class and define them each in the deployment descriptor?

At the moment I am invoking web services using the following code, but I'm not sure I would point it to another handler.

Service service = new Service(); Call call = (Call) service.createCall(); call.setClientHandlers(new WSDoAllSender(),null ); call.setProperty(WSHandlerConstants.ACTION, "UsernameToken"); call.setProperty(WSHandlerConstants.USER,vendorCode ); call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, "WebService.client.PWCallback"); call.setTargetEndpointAddress("http://localhost:8080/axis/services/WebServiceSOAP"); call.setOperationStyle(Style.RPC); [...etc]

I'd definitely advise to work with handlers and deployment descriptors, instead of hardcoding everything. It's very handy, especially during development, to be able to add/remove a handler just by (un)commenting a section in the descriptor. The descriptor for passsword authentication would lokk something like this for Axis 1:
<?xml version="1.0" ?> <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <globalConfiguration > <requestFlow > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="action" value="UsernameToken"/> <parameter name="user" value="wsuser"/> <parameter name="passwordCallbackClass" value="WebService.client.PWCallback"/> <parameter name="passwordType" value="PasswordText"/> </handler> </requestFlow> </globalConfiguration> </deployment>
The server-side handler could just skip checking authentication if a session exists.
[ March 06, 2007: Message edited by: Ulf Dittmer ]

Looking at the deployment descriptor, would that mean I need to know which users will access the service as you have defined a user, or have I misunderstood how that works? I'm also still not sure how to define a non- WS-sec handler. I'm still wearing my rookie badge as you may tell.

On reflection I think it would be best to authenticate each message because, as you say it is a better security practice, although I also don't want to leave my understanding of this issue unresolved.

That's a good point. That example assumes that a single user account is used for accessing the WS. But having to support multiple accounts would be a frequent thing to want to do, and the WSPasswordCallback class only deals with passwords, not user names.