aspose file tools*
The moose likes Web Services and the fly likes Adding wss4j to existing app Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Adding wss4j to existing app" Watch "Adding wss4j to existing app" New topic
Author

Adding wss4j to existing app

Rusty Enisin
Ranch Hand

Joined: May 26, 2005
Posts: 107
I have been tasked with adding security to an existing web service running on Axis on Tomcat. Looking around I found wss4j. If you know of something better please let me know.

I need to inject security requirements into an existing application without altering the existing app. We are using https. We need the clients to send the username and password with each request. No state is kept. Everything is asynchronous. Clients could be any platform (Java, .Net, php or whatever).

In my mind I imagine only needing some sort of filter/listener (I think axis is calling these handlers) that will interrupt each request and authenticate each user. If they authenticate they continue. If not, they are rejected. We might have to inject a token into the request representing the user's authentication (used for audit trails). But that is to be used in the app only and not returned to the client.

So my question is this. Will wss4j do that for me?

Also, I am having a difficult time wrapping my head around the arcitecture of both wss4j and how it fits into axis. Do you know of any good document or book out there? The tutorials on Axis' site just don't work and make no sense (granted it could be me): Axis Deployment Tutorial and Axis Deployment Examples


The squeaky wheel gets the grease. Well, that or replaced...
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39537
    
  27
You're on the right track with wss4j. It uses JAX-RPC handlers, which you can tack on to a web service w/o altering the WS code itself. There are a couple of introductory links to information about wss4j in the Web Services FAQ; those might help you get going. Authentication in particular is not hard to do.

As to the overall architecture, wss4j sits on top of Axis. It implements the WS-Security standard, and as such should be accessible by non-Java clients as well. And you can use wss4j on the client side to connect to a non-Java WS server that supports WS-Security.


Ping & DNS - updated with new look and Ping home screen widget
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Adding wss4j to existing app
 
Similar Threads
New to WebService
Adding Header Information
SAML
Appserver-independent web service stacks?
Tomcat 6.0 and Axis 1.4 XML Security Error