aspose file tools*
The moose likes Web Services and the fly likes web service security with Axis Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "web service security with Axis" Watch "web service security with Axis" New topic
Author

web service security with Axis

Sol Mayer-Orn
Ranch Hand

Joined: Nov 13, 2002
Posts: 311
Hi,

I'd greatly appreciate advice on the following.
In short: what do you do when a web-service requires clients to login (supplying user + password), *but* the server/web-app can't be configured to use basic web authentication ?

We have an Axis web service, which requires login (namely, clients connecting to the web service must supply user + password ) .

Now, normally this should be handled by the servlet-container (configure "web.xml" to use "Basic Web Authentication", and put Security Constraints on the web-service URL ).

*Unfortunately*, we can't take this approach, since our web-application is already using *Form-Based* login (namely: the same web-application that contains our Axis servlet, also contains other modules - such as JSP pages - that rely on form-based login).

Any recommendations for this situation ? We are considering solutions, such as:
1) A filter to intercept requests to the web-service, and check for user credentials.
2) Passing user + password on applicative level, as additional method parameters (we use HTTPS, so passwords can be transmitted safely).
3)
Those this make sense ? Or is there some feature build into Axis that could help ?

Thanks a lot.
Rr Kumaran
Ranch Hand

Joined: Sep 17, 2001
Posts: 548
please take a look at WS Token specification and its implementation using various WS Security spec. implementation frameworks like Apache WSS4J, IBM XSS, VeriSign TSIK. Again you have choices here ...


RR Kumaran
SCJP 1.4
Sol Mayer-Orn
Ranch Hand

Joined: Nov 13, 2002
Posts: 311
Thanks very much. I was not aware of this.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: web service security with Axis
 
Similar Threads
Doubts in Mock exam HFSJ
security
selective authentication for a servlet?
Webapp-Security chapter revision notes from HFSJ , may be useful
How to implement Spring Form Based Authenticationand Authorization without session scope ?