File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Services and the fly likes Adding wss4j to existing app Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Adding wss4j to existing app" Watch "Adding wss4j to existing app" New topic

Adding wss4j to existing app

Rusty Enisin
Ranch Hand

Joined: May 26, 2005
Posts: 107
I have been tasked with adding security to an existing web service running on Axis on Tomcat. Looking around I found wss4j. If you know of something better please let me know.

I need to inject security requirements into an existing application without altering the existing app. We are using https. We need the clients to send the username and password with each request. No state is kept. Everything is asynchronous. Clients could be any platform (Java, .Net, php or whatever).

In my mind I imagine only needing some sort of filter/listener (I think axis is calling these handlers) that will interrupt each request and authenticate each user. If they authenticate they continue. If not, they are rejected. We might have to inject a token into the request representing the user's authentication (used for audit trails). But that is to be used in the app only and not returned to the client.

So my question is this. Will wss4j do that for me?

Also, I am having a difficult time wrapping my head around the arcitecture of both wss4j and how it fits into axis. Do you know of any good document or book out there? The tutorials on Axis' site just don't work and make no sense (granted it could be me): Axis Deployment Tutorial and Axis Deployment Examples

The squeaky wheel gets the grease. Well, that or replaced...
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
You're on the right track with wss4j. It uses JAX-RPC handlers, which you can tack on to a web service w/o altering the WS code itself. There are a couple of introductory links to information about wss4j in the Web Services FAQ; those might help you get going. Authentication in particular is not hard to do.

As to the overall architecture, wss4j sits on top of Axis. It implements the WS-Security standard, and as such should be accessible by non-Java clients as well. And you can use wss4j on the client side to connect to a non-Java WS server that supports WS-Security.
I agree. Here's the link:
subject: Adding wss4j to existing app
It's not a secret anymore!