Now i just relised that anybody who see's my WSDL can call the methods on my server.
How do I stop this, how do i authenticate users??
Whats the easiest way? Could somebody show me a code example of the client side and server side code needed. My server is Apache Tomcat with axis, and my client is a J2SE swing app wich calls methods on the stubs i generated from the WSDL.
I would really appriciate a dead simple example. I do not want to have to pass a user name and password as paramaters with each method call!!
PLEASE WATCH THIS VIDEO: <a href="http://www.glumbert.com/media/dolphin" target="_blank" rel="nofollow">http://www.glumbert.com/media/dolphin</a><br /> <br /><-- that video is no joke. Spread the word... this cant go on!!!<br /> <br />SCJP 1.4, SCBCD 1.3, SCWCD 1.4, SCMAD 1.0
That didnt really help me. Im hoping to hear something like add something to my web.xml on tomcat, and then do something on the client code...
Every answer I come across explains the theory of authenication, but not how i do it!
My senior developer warned me agaisnt web services saying there isnt any good doc's and how to's on using it. I hope he is not right!! He's gonna make me use corba is a fail to get this authenitcation working today!! HELP
Ulf Dittmer
Marshal
Joined: Mar 22, 2005
Posts: 35254
7
posted
0
The first link posted by BL was right on the mark. Amongst other things, it says that you can use HTTP Authentication. That involves your web.xml and conf/tomcat-users.xml on the server side (assuming you're using Tomcat, but other servlet containers work similarly), as well as setting properties in your javax.xml.rpc.Stub on the client, which looks something like:
Stub stub = (Stub) ...; // wherever you get your Stub from stub._setProperty(Stub.USERNAME_PROPERTY, "username"); stub._setProperty(Stub.PASSWORD_PROPERTY, "password");
No rocket science involved. This is not very strong security (password is transmitted unencrypted in the HTTP headers), but it's a start. Later, you can run your service over SSL for some additional security, or migrate to using the WS-Security standard.
Thats exactly the sort of answer I was looking for.
Thanks for your help - much appriciated!
Dean Fredericks
Ranch Hand
Joined: Dec 04, 2004
Posts: 60
posted
0
Now that I want to use the method you have described. I know how to set up user roles and stuff in web.xml.
But I have a database with all the username and password in it, How do I condifure tomcat to look in my database for the list of usernames and passwords.
Ulf Dittmer
Marshal
Joined: Mar 22, 2005
Posts: 35254
7
posted
0
In your server.xml, instead of a MemoryRealm, configure a JDBCRealm.
Now im using the servlet/tomcat style secuirty. How can I access that from inside my business logic java bean web serice?
Since Im not in a servlet or JSP, how do I do something like a: request.isUserInRole("Project Manager") ! Since I dont have a request object to work with ?? Is there some way I can get a request object ?
Ulf Dittmer
Marshal
Joined: Mar 22, 2005
Posts: 35254
7
posted
0
That's a FAQ. Check the page at the bottom of this post for an answer.
Balaji Loganathan
author and deputy
Bartender
Joined: Jul 13, 2001
Posts: 3150
posted
0
Originally posted by Ulf Dittmer: That's a FAQ. Check the page at the bottom of this post for an answer.
Nice one!! Ulf.
Dean Fredericks
Ranch Hand
Joined: Dec 04, 2004
Posts: 60
posted
0
Thanks for your help. You really hepled me alot much appriciated!!
0
