File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes Use wss4j for service and method level acces control Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Use wss4j for service and method level acces control" Watch "Use wss4j for service and method level acces control" New topic
Author

Use wss4j for service and method level acces control

Rusty Enisin
Ranch Hand

Joined: May 26, 2005
Posts: 107
I have wss4j and Axis in an running. But it looks like wss4j only lets you authenticate a user based on a supplied username and password. That is great.

I need to limit access per service. Currently I will have to create a password callback class for each service. I would like to create one authenticator class that is smart enough to tell me if a user is authorized to access any specified service. I would rather not create a new password callback class for each service. It would only call the authenticator and pass the service name to it. Tons of classes really doing nothing.

I might even have to restrict access on the method level. This could all be solved if in the password callback I could know what service and method was called. Is there a way to know which service or method was called? Or do I have to create a separate service and password callback for each service we define? If two methods in one service have different security constraints do I have to put them in different services? How is all this usually done?



The squeaky wheel gets the grease. Well, that or replaced...
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41815
    
  62
That's an excellent question. Something like the following in the password callback handler might do the trick for Axis (haven't tested it, though).


The org.apache.axis.MessageContext class also has other methods returning all kinds of potentially useful information. I think there must be a way to get at the same information using javax.xml.rpc.handler.MessageContext as well (which would make it more independent from Axis), but I haven't checked all the properties it makes available.
[ January 18, 2006: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
Rusty Enisin
Ranch Hand

Joined: May 26, 2005
Posts: 107
Awesome! That is exactly what I needed!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Use wss4j for service and method level acces control