| Author |
web service security with Axis
|
Sol Mayer-Orn
Ranch Hand
Joined: Nov 13, 2002
Posts: 310
|
|
Hi,
I'd greatly appreciate advice on the following.
In short: what do you do when a web-service requires clients to login (supplying user + password), *but* the server/web-app can't be configured to use basic web authentication ?
We have an Axis web service, which requires login (namely, clients connecting to the web service must supply user + password ) .
Now, normally this should be handled by the servlet-container (configure "web.xml" to use "Basic Web Authentication", and put Security Constraints on the web-service URL ).
*Unfortunately*, we can't take this approach, since our web-application is already using *Form-Based* login (namely: the same web-application that contains our Axis servlet, also contains other modules - such as JSP pages - that rely on form-based login).
Any recommendations for this situation ? We are considering solutions, such as:
1) A filter to intercept requests to the web-service, and check for user credentials.
2) Passing user + password on applicative level, as additional method parameters (we use HTTPS, so passwords can be transmitted safely).
3)
Those this make sense ? Or is there some feature build into Axis that could help ?
Thanks a lot.
|
 |
Rr Kumaran
Ranch Hand
Joined: Sep 17, 2001
Posts: 548
|
|
|
please take a look at WS Token specification and its implementation using various WS Security spec. implementation frameworks like Apache WSS4J, IBM XSS, VeriSign TSIK. Again you have choices here ...
|
RR Kumaran
SCJP 1.4
|
|
Sol Mayer-Orn
Ranch Hand
Joined: Nov 13, 2002
Posts: 310
|
|
|
Thanks very much. I was not aware of this.
|
|
 |
|
|
subject: web service security with Axis
|
|
|
0
