You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Sanjesh Pathak <sa...@soapknox.com> on 2003/10/07 23:33:27 UTC

WS-Security UsernameToken code

Hi,

As promised here is the code which adds WS-Security UsernameToken header
to the request and also does authentication on the service side. Unzip
the attachment and it creates a directory called simple. Copy this
directory into your server's webapps\axis\WEB-INF\classes directory. Go
through the readme for details.

The basic idea being that one can simply set username and password using
the Call's setUsername(String) and  setPassword(String) methods on the
client side. And have WSSUsernameTokenAddHandler deployed on the client
side. This handler will take these username and password values and
creates UsernameToken header according to WS-Security specification. The
handler will also clear these values so that these won't sent with HTTP
header. The handler WSSUsernameTokenAuthenticationHandler is used on the
service side to do authentication (although this handler needs some work
- but it works as is).

These two handlers work fine with Axis but I have not been able to use
this UsernameToken header to authenticate against microsoft's
implementation (see
http://msdn.microsoft.com/webservices/building/livewebservices/mscomserv
ices/default.aspx). If anyone can find a solution, that would be great.

Sanjesh



-----Original Message-----
From: Sanjesh Pathak [mailto:sanjesh@soapknox.com] 
Sent: Monday, October 06, 2003 11:39 AM
To: 'axis-user@ws.apache.org'
Subject: RE: Simple username-password security with Axis?

Jon,

I am creating a handler that adds WS-Security UsernameToken header to
the request. It will do exactly what you are looking for. I am almost
done with it and will be posting the code to the list in a day or two.
Look out for it.

Sanjesh

-----Original Message-----
From: Jon Blower [mailto:jdb@mail.nerc-essc.ac.uk] 
Sent: Monday, October 06, 2003 7:33 AM
To: axis-user@ws.apache.org
Subject: Simple username-password security with Axis?

Dear Axis users,

I would like to add a very basic level of security to my Web Service.  I

would like users to be authenticated by simply including a username and 
password in the SOAP message when calling the Web Service.

What's the easiest way of encrypting the username/password so it can't
be 
decrypted if someone intercepts the SOAP message?  I don't need a
solution 
with maximum security - the authentication is basically to keep track of

who's using the Web Service and to provide different levels of access to

different users.  The Web Service in question involves significant
server 
load, so the security is just intended to prevent unauthenticated users 
submitting requests that will hold up the server.

I have even considered sending the username/password unencrypted, but 
ideally I would like a bit more security than this if it's not hard to 
implement.  Only the username/password part of the message would have to

be encrypted.

I've looked on the Web for appropriate toolkits/APIs but haven't been
able 
to track down an obvious solution.

Thanks in advance for any help or advice,

Jon


-- 
--------------------------------------------------------------
Dr Jon Blower              Tel: +44 118 378 5213 (direct line)
Research Fellow            Tel: +44 118 378 8741 (ESSC)
ESSC                       Fax: +44 118 378 6413
University of Reading      Email: jdb@mail.nerc-essc.ac.uk
3 Earley Gate
Reading RG6 6AL, UK
--------------------------------------------------------------