• Post Reply Bookmark Topic Watch Topic
  • New Topic

Implementing Access Rights on Axis2 Web Service?

 
Kelly Powell
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How do you check for access rights in Axis2?

Currently, I am using the UsernameToken of Rampart to get the credentials (username, password) of the user. The user is then allowed to access the web service method if his credentials are valid. But what if I have multiple methods? How can I specify which methods are only accessible to a certain user? I know that I can get the username via the MessageContext on the web service method itself and then perform the method function only if a user has rights on it, but I'm getting a feeling that I'm doing it the wrong way. Is there some other way of doing it? Perhaps, somewhere in the WS-Specification?
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, WS-Security only provides for authentication, not authorization. As such it has no concepts of roles or something similar. You'll have to get the roles of a user from your user info repository (DB, LDAP, or what have you) and then perform the access checks in your own code.
 
Kelly Powell
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the clarification, Ulf. I have written a handler to perform the authorization.

This is a bit out of the topic, but I think I've read from one your posts that it is better to return a token after validating the credentials of the user? This is so that next time the client connects to the web service, he won't need to send his username and password anymore. Instead, he will be sending the token assigned to him.

If I'm going to use the UsernameToken, can I still implement it? Or do I instead have to write a web service method for login? Also, how can I save the token in the server so that the next time the client accesses the web service, I can checked if the token is already existing and on who's client the token is assigned to. I am trying to google for an example implementation of it but I can't seem to find one. Almost everything that I've seen is discussing the UsernameToken authentication without returning any token.
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think I've read from one your posts that it is better to return a token after validating the credentials of the user?

I think that may have been about using HTTP auth, not WS-Security auth. For WS-Security auth I'd actually advise to configure it to be used for all WS calls instead of rolling your own token approach (which is not trivial to make secure). It is possible, though, but your lack of googling success probably reflects that nobody is doing that (which is somewhat of an indication that you probably should not be doing it either :-)
 
Kelly Powell
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Oh. Maybe that is why I can't find your post again. I might be searching using the wrong keywords. But I've also seen some people suggesting the token-based approach on web service. I'm not sure if you're referring to the UsernameToken authentication (which is part of WS-Security), but if it is, I already configured it to be used for all. I only separated the checking of access rights into a new handler.

Does it mean that the most commonly used approach in validating a client is for the client to pass his credentials every time he will be connecting to the web service and for the web service to validate the client's credential every time he will be requesting access to the web service? I'm thinking that such approach would be too time consuming especially if the client needs to invoke a web service method continually? Are there any approach so that I won't be needing to revalidate the client's credentials on his 2nd request if his 2nd request is only a few minutes away from his first request?

Right now, I am exploring if I can save the client's session in the configuration context and set the session's time to live. I'm still trying to learn how to enable sessions on web service. Am I on the right track?

Ulf, thanks again for all your help! I really appreciate it.
 
Kelly Powell
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Found it. I already know how to enable session on Axis2. SOAP session has almost the same with the token-based authentication so I just needed to add a login operation to validate the user. If he's a valid user, I'll save an indicator in his session indicating that he was already validated. I found the tutorial at: http://wso2.org/library/articles/axis2-session-management-part-2.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!