I'd greatly appreciate advice on the following. In short: what do you do when a web-service requires clients to login (supplying user + password), *but* the server/web-app can't be configured to use basic web authentication ?
We have an Axis web service, which requires login (namely, clients connecting to the web service must supply user + password ) .
Now, normally this should be handled by the servlet-container (configure "web.xml" to use "Basic Web Authentication", and put Security Constraints on the web-service URL ).
*Unfortunately*, we can't take this approach, since our web-application is already using *Form-Based* login (namely: the same web-application that contains our Axis servlet, also contains other modules - such as JSP pages - that rely on form-based login).
Any recommendations for this situation ? We are considering solutions, such as: 1) A filter to intercept requests to the web-service, and check for user credentials. 2) Passing user + password on applicative level, as additional method parameters (we use HTTPS, so passwords can be transmitted safely). 3) Those this make sense ? Or is there some feature build into Axis that could help ?
Thanks a lot.
Joined: Sep 17, 2001
please take a look at WS Token specification and its implementation using various WS Security spec. implementation frameworks like Apache WSS4J, IBM XSS, VeriSign TSIK. Again you have choices here ...