You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@tuscany.apache.org by "Wiedenbruch, Alexander" <Al...@iml.fraunhofer.de> on 2009/06/09 13:22:26 UTC

Policy and security subject

Hello,

 

we are using Tuscany with WS-Bindings successfully in a research
project.

 

Currently, we are evaluating the Policy-Framework in Tuscany to secure
the data exchange over these Web-Services.

 

We have two requirements:

a) Web-Services should only be invoked by authenticated users

b) Results of the Web-Service call depend on the user that called the
Web-Service

 

Part a) is already implemented with the Callback-Method.

Part b) is problematic because
ComponentContext.getRequestContext().getSecuritySubject() returns always
null and we see no other way to detect which user called the method by
using the SCA API. This happens with UsernameToken and JAAS
authentication.

 

Our investigation showed that getSecuritySubject() reads the Subject
from the message header,

but in Axis2ServiceProvider.fillQoSContext() only the Principal gets
written.

 

WSSecurityEngineResult securityResult =
(WSSecurityEngineResult)wshr.getResults().elementAt(count2);

if ( securityResult.get("principal") != null ) {

 
message.getHeaders().add(securityResult.get("principal"));

}

 

We would like to know if this bug is known or if other solutions for our
problem are existing.

 

Thanks in advance

A. Wiedenbruch