I have wss4j and Axis in an running. But it looks like wss4j only lets you authenticate a user based on a supplied username and password. That is great.
I need to limit access per service. Currently I will have to create a password callback class for each service. I would like to create one authenticator class that is smart enough to tell me if a user is authorized to access any specified service. I would rather not create a new password callback class for each service. It would only call the authenticator and pass the service name to it. Tons of classes really doing nothing.
I might even have to restrict access on the method level. This could all be solved if in the password callback I could know what service and method was called. Is there a way to know which service or method was called? Or do I have to create a separate service and password callback for each service we define? If two methods in one service have different security constraints do I have to put them in different services? How is all this usually done?
The squeaky wheel gets the grease. Well, that or replaced...
That's an excellent question. Something like the following in the password callback handler might do the trick for Axis (haven't tested it, though).
The org.apache.axis.MessageContext class also has other methods returning all kinds of potentially useful information. I think there must be a way to get at the same information using javax.xml.rpc.handler.MessageContext as well (which would make it more independent from Axis), but I haven't checked all the properties it makes available. [ January 18, 2006: Message edited by: Ulf Dittmer ]