File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Services and the fly likes web service security with Axis Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "web service security with Axis" Watch "web service security with Axis" New topic

web service security with Axis

Sol Mayer-Orn
Ranch Hand

Joined: Nov 13, 2002
Posts: 311

I'd greatly appreciate advice on the following.
In short: what do you do when a web-service requires clients to login (supplying user + password), *but* the server/web-app can't be configured to use basic web authentication ?

We have an Axis web service, which requires login (namely, clients connecting to the web service must supply user + password ) .

Now, normally this should be handled by the servlet-container (configure "web.xml" to use "Basic Web Authentication", and put Security Constraints on the web-service URL ).

*Unfortunately*, we can't take this approach, since our web-application is already using *Form-Based* login (namely: the same web-application that contains our Axis servlet, also contains other modules - such as JSP pages - that rely on form-based login).

Any recommendations for this situation ? We are considering solutions, such as:
1) A filter to intercept requests to the web-service, and check for user credentials.
2) Passing user + password on applicative level, as additional method parameters (we use HTTPS, so passwords can be transmitted safely).
Those this make sense ? Or is there some feature build into Axis that could help ?

Thanks a lot.
Rr Kumaran
Ranch Hand

Joined: Sep 17, 2001
Posts: 548
please take a look at WS Token specification and its implementation using various WS Security spec. implementation frameworks like Apache WSS4J, IBM XSS, VeriSign TSIK. Again you have choices here ...

RR Kumaran
SCJP 1.4
Sol Mayer-Orn
Ranch Hand

Joined: Nov 13, 2002
Posts: 311
Thanks very much. I was not aware of this.
I agree. Here's the link:
subject: web service security with Axis
It's not a secret anymore!