You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ar...@cornell.edu on 2002/09/10 18:09:00 UTC

Custom security

I asked this last week on axis-user and it went down a black hole.  Maybe 
I'll have better luck here.

Short version: is there, and if so how, a way to install handlers 
like Tomcat Valves or Filters which can intercept, annotate, and mutate the 
SOAP request before it leaves and enters the client and server?

Long version:

Hello all,

  I have just begun digging into Axis to see if it is feasible to
implement transparent Kerberos security.  It appears as if I can register
handlers to append credentials after a call is invoked on the client, and
authenticate credentials before the call is invoked on the server.
However, there seem to be many places in which to register handlers (and
in fact the Axis engines themselves are handlers!), and I am not sure
where to start.  I have looked at the examples and understand how the
WSDD config document is loaded, but I would rather make this as
transparent to the developer as possible, and manually register handlers
in special subclasses (instead of forcing the use of arbitrary XML
configuration files or strings)...unfortunately I don't see where the
WSDD config is sticking the handlers it reads out of the file.  There seem
to be two places to register handlers on the client:  1) Through 
overriding (I can see no other way) the AxisEngine to return your 
handlers in getGlobalRequest and getGlobalResponse methods 2) through 
calling getHandlerRegistry on the Service object...however this API only 
gets/sets a list of HandlerInfoS, so I'm not sure where to actually stick 
the handler.

The second requirement I have is to be able to encrypt the SOAP request.
The best bet looks to me to subclass the Message object which the Call
sticks in the MessageContext, and override the 'writeTo' method, and
simply write the encrypted bytes.  This is called by HTTPSender.  However
I see no HTTPReceiver analogue on the server side, by which I can
transparently decrypt the contents of the message before it is
interpreted.

Any advice?

Aaron Hamid
CIT/I&D
Cornell University