JBoss - JAAS - HTTP authentication

Hi,

I'm havin' a bit of a problem: we used to use BEA Weblogic in which we used UIdP for security. Now, we switched to JBoss using a JAAS.
The problem is that BEA, upon receipt of a webservice-call (mind you: travels directly to BEA) checked whether it was authorized (via UIdP) and then answered with a
401. The requester then sends automatically a user/password (it's all basic) by which authorization was done.
JBoss doesn't do that using JAAS.
How could/can I solve that problem and/or has anyone code or suggestions ?
A solution would be to force users to call the webservice using u/p directly. But we can't do that having a few hundred of them. (Well, we can in time, but I need a short-term solution)

Anyone ?

Thanks

Hi!
A quick and dirty solution I come to think of is to write a handler that examines incoming request to determine if they contain JAAS authentication information.
If a request does contain such information, it is allowed to pass through to the web service, if it does not then a redirect is generated.
Best wishes!

Hi Ivan,

Well, I was thinking along those lines. But I know the requests don't contain de u/p stuff the first time. So I want to intervene and generate the appropriate response myself if the user is not authorized. I will have to generate a certain form of 401 reply that triggers the client to resend the request containing the u/p info.
Where do I do that in JBoss and have you maybe some kind of example that might be useful ?

Thanks,
Ronald

Hi!
I have had a closer look at the JAX-WS specification and it seems like what you want to do is indeed doable in a web service handler!
Reference: Section 9.4.2 of the JAX-WS 2.1 Specification.
- The HTTP request headers are available using the property key javax.xml.ws.http.request.headers
- The HttpServletResponse object of the current request is available using the property key javax.xml.ws.servlet.response
- If your handler implements javax.xml.ws.handler.LogicalHandler then you can access any part of the SOAP requests, including headers that are not targeted at the node.

Thus:
1. Either you examine the HTTP headers or the SOAP headers for authorization information.
2. If the authorization information is not present, then you obtain the HttpServletResponse object of the HTTP request associated with the web service request and either send a redirect or an error.
3. If the authorization information is present, then the handler does nothing and just let the request pass through.

Regretfully, I do not have any code to share.
Best wishes!

Hi Kriszan,

Thanks for your reply! I'll give it a try as soon as possible! This looks like an approach that I can use. I'll look around for some code-samples. Mining the internet probably. Or maybe there are some JBoss-samples stashed away somewhere.

Thanks again,

Ronald