Win a copy of Murach's MySQL this week in the JDBC and Relational Databases forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

Adding wss4j to existing app

Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have been tasked with adding security to an existing web service running on Axis on Tomcat. Looking around I found wss4j. If you know of something better please let me know.

I need to inject security requirements into an existing application without altering the existing app. We are using https. We need the clients to send the username and password with each request. No state is kept. Everything is asynchronous. Clients could be any platform (Java, .Net, php or whatever).

In my mind I imagine only needing some sort of filter/listener (I think axis is calling these handlers) that will interrupt each request and authenticate each user. If they authenticate they continue. If not, they are rejected. We might have to inject a token into the request representing the user's authentication (used for audit trails). But that is to be used in the app only and not returned to the client.

So my question is this. Will wss4j do that for me?

Also, I am having a difficult time wrapping my head around the arcitecture of both wss4j and how it fits into axis. Do you know of any good document or book out there? The tutorials on Axis' site just don't work and make no sense (granted it could be me): Axis Deployment Tutorial and Axis Deployment Examples
Posts: 43081
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You're on the right track with wss4j. It uses JAX-RPC handlers, which you can tack on to a web service w/o altering the WS code itself. There are a couple of introductory links to information about wss4j in the Web Services FAQ; those might help you get going. Authentication in particular is not hard to do.

As to the overall architecture, wss4j sits on top of Axis. It implements the WS-Security standard, and as such should be accessible by non-Java clients as well. And you can use wss4j on the client side to connect to a non-Java WS server that supports WS-Security.
Don't get me started about those stupid light bulbs.
    Bookmark Topic Watch Topic
  • New Topic