This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Web Services and the fly likes Web Services and X509 Certificate Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Web Services and X509 Certificate Authentication" Watch "Web Services and X509 Certificate Authentication" New topic
Author

Web Services and X509 Certificate Authentication

Greg Werner
Ranch Hand

Joined: May 07, 2009
Posts: 54
I am having difficulty putting all the pieces together to make it happen. I will tell you about my scenario and perhaps some kind-hearted person could fill in the rest for me.

I have a web service deployed to Tomcat 6.0 currently. It is tested to work just fine via a client I wrote. It makes use of Axis (but not Axis2). The jar files I believe are JAX-WS 2.0. I do not control how others access the service but it will likely be someone else's web application calling the service. I would like to make use of X509 certificates because I know the legitimate users all have certificates I can check against on the server side. I would suppose if I can get an HttpServletRequest, as in the FAQ section "With Axis, how can I access authentication information if I use HTTP Authentication? " then I would be home free because I know how to get the certificate from the HttpServletRequestObject, I already do that in a j2ee web application. My question is how do I hook up such Java code as the FAQ I mentioned with my web service. What configuration do I need to do to go to this bit of code which checks certificates instead of just going straight to the method that the client is trying to call? Is it in the web.xml file, context.xml file or what?
Greg Werner
Ranch Hand

Joined: May 07, 2009
Posts: 54
Greg Werner wrote:My question is how do I hook up such Java code as the FAQ I mentioned with my web service. What configuration do I need to do to go to this bit of code which checks certificates instead of just going straight to the method that the client is trying to call? Is it in the web.xml file, context.xml file or what?


I think I was looking for something like org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor, although I am skeptical about Spring implementations because I have seen several other packages (LDAP is one I remember rather fondly) that are incomplete and inferior to equivalent implementations in the web community. So other suggestions are greatly appreciated.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Web Services and X509 Certificate Authentication