I am working on an axis2 webservice that should include the following requirements:
1) a client will first log in to the webservice using a username/password
2) this username/password will be checked by the webservice by doing a search on a database
3) if the authentication is successful, a token is generated and sent to the client. Also a session is created that will allow the client calling all other methods of the webservice with no other sending of the username/password but just with a token and a session id.
Theoretically, it's possible for my webservice to generate a token, and also possible to implement encryption between server and client to secure the exchange of messages but using my own java code, not using any dedicated library. However, I think it's too risky to implement those security steps myself as I am sure they can be obtained by combining functionalities offered by Rampart module for example in a standard more reliable way.
My question is the following, is there anyone of you who can tell me what are the functionalities offered by axis2, rampart module or any other standard library, module that can be combined to implement the above scenario using those standard librairies?
I've been reading through WS-SecureExchange, WS-Trust, session management in Axis2 but it's still not clear for me how to build the architecture.
Any thought, idea or link to sample similar applications?
If I may point to my own stuff, I've written a few articles specifically about how to use WS-Security with Axis. They come complete with ready-to-run example code, and should get you going pretty quickly. The first article deals with Axis 1, so you should start with the second one, and only refer back to the first if something is unclear. Both explain username/password authentication. The third article is about encryption.