You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-user@ws.apache.org by Shimmie <sh...@shimmie.com> on 2002/07/16 04:24:16 UTC
HttpRequest & Authentication
Fellas,
I want to do basic session-based authentication from my soap cilents, just like regular users do when logging on to my tomcat-based server.
Here's what I think I do:
o wrap the rpcrouter in the security realm (in web.xml)
o post to the login page and get back the SESSION_ID
o put it in the url (rpcrouter?session_id=423434fsdf342)
o pull the currently logged in user out of the HttpRequest.
Problem is, looking at the FAQ entry below, that getting the HttpRequest out of SOAPContext can only be done if the client also uses the Apache SOAP libraries. I can't control this - and whats the point of a standard if I have to.
Any other suggestions?
All I can think, neighter of which I want to do:
(1) pass the username and password on every request as parameters
(2) write a customer session management system on my server which tracks sessions and Ids and pass the ID on every method call.
What do other people do about security?
Thanks,
Simon.
2.38 How can I get the IP address of a client that is using my SOAP Service?
If you add a SOAPContext Object as first Parameter in the signature of your SOAP-service java-method, a 'SOAPContext' Object is passed to your class, e.g.:
.mymethod(SOAPContext inContext, String inString)
This SOAPContext object gives you access to the HttpSession, HttpRequest, HttpResponse (see java doc for details).
So, your SOAP service method can get the servlet request out of the context object, and then call the getRemoteAddr() method on the service request object:
import javax.servlet.http.*;
....
HttpServletRequest req =
(HttpServletRequest)soapCtx.getProperty(org.apache.soap.Constants.BAG_HTTPSERVLETREQUEST);
String remoteIPAddress = req.getRemoteAddr();
NOTE: this will only work where the client and server are both using the Apache SOAP libraries.