You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Chris Rose <ch...@messagingdirect.com> on 2008/02/06 22:25:28 UTC
WebSphere 6.1 security and Axis2
I am trying to deploy axis2 on WebSphere Application Server 6.1 in an
enterprise application that contains additional EJB jars. I am able to
invoke the web services with no difficulty (I can set breakpoints inside
their implementations and see logging from our service implementation)
so -- for the record -- Axis2 seems to be working as advertised.
However, I have a problem, and I am hoping that someone with experience
with Axis2 and WebSphere can point me down the path to fixing it.
Our session beans -- to which we delegate for business logic from the
web service facade -- require that the user be authenticated in the
container. Not only is that a security concern, but we extract custom
credentials from the Subject in order to do the work.
The web services, however, despite my best effort, cannot be made to
require authentication. I am not using ws-security, I am attempting to
simply use HTTP basic authentication for the web application, but
nothing I do can provoke WebSphere to provide me with a password request
dialog for any of the servlets. I am testing this by navigating in a
web browser to the service listing page, which simply bypasses all of
the login modules defined in WEB_INBOUND in the container.
Attached is the web.xml from the final, deployed axis2 WAR file. I
would dearly like to know why this does not result in my being required
to provide a password. If anyone can help me, I would be very grateful.
--
Chris Rose
Developer Planet Consulting Group
(780) 577-8433
crose@planetci.com
Re: WebSphere 6.1 security and Axis2
Posted by Chris Rose <ch...@messagingdirect.com>.
Tony Dean wrote:
> First for webservices you don't want to use basic authentication... you want to use ws-security standard. And I experienced the same frustration that you are having... how do you integrate axis2 security into the containers security sandbox... as far as I can tell you can't. It appears that once you authenticated your web service with rampart module, you would then have to trigger the websphere security framework which would reauthenticate with these credentials and thereby produce a JAAS subject such that your business logic could use.
The WS-Security path is one that we'd like to follow, but not all of our
clients are going to be able to do that, and to be honest I don't fully
understand how we're supposed to implement that anyway. It's on the
list, but in the interim the servlets themselves should be protected.
> Otherwise, you go down the road of using basic authentication so that websphere can drive the authentication process implicilty... this is servlet based authentication and not web service based authentication.
Right. This is the road I want to follow for now. My understanding of
the servlet spec is that the web.xml I have provided SHOULD engage
authentication, even if it's only piddly-ole BASIC auth. So I'm trying
to grok why it fails to do that.
> I think you need to use the native websphere web service stack to do what you want. Please correct me if I am wrong.
I would expect, however, that you can use WebSphere's *servlet* stack to
do authentication, which is what I wanted to do in the first place. We
have explicitly moved away from the container-specific web service
implementations, because we support our application on three app
containers right now, with the possibility of others later.
>> -----Original Message-----
>> From: Chris Rose [mailto:chris.rose@messagingdirect.com]
>> Sent: Wednesday, February 06, 2008 4:25 PM
>> To: axis-user@ws.apache.org
>> Subject: WebSphere 6.1 security and Axis2
>>
>> I am trying to deploy axis2 on WebSphere Application Server 6.1 in an
>> enterprise application that contains additional EJB jars. I am able to
>> invoke the web services with no difficulty (I can set breakpoints
>> inside their implementations and see logging from our service
>> implementation) so -- for the record -- Axis2 seems to be working as
>> advertised.
>>
>> However, I have a problem, and I am hoping that someone with experience
>> with Axis2 and WebSphere can point me down the path to fixing it.
>>
>> Our session beans -- to which we delegate for business logic from the
>> web service facade -- require that the user be authenticated in the
>> container. Not only is that a security concern, but we extract custom
>> credentials from the Subject in order to do the work.
>>
>> The web services, however, despite my best effort, cannot be made to
>> require authentication. I am not using ws-security, I am attempting to
>> simply use HTTP basic authentication for the web application, but
>> nothing I do can provoke WebSphere to provide me with a password
>> request dialog for any of the servlets. I am testing this by
>> navigating in a web browser to the service listing page, which simply
>> bypasses all of the login modules defined in WEB_INBOUND in the
>> container.
>>
>> Attached is the web.xml from the final, deployed axis2 WAR file. I
>> would dearly like to know why this does not result in my being required
>> to provide a password. If anyone can help me, I would be very
>> grateful.
>>
>>
>> --
>> Chris Rose
>> Developer Planet Consulting Group
>> (780) 577-8433
>> crose@planetci.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
--
Chris Rose
Developer Planet Consulting Group
(780) 577-8433
crose@planetci.com
RE: WebSphere 6.1 security and Axis2
Posted by Tony Dean <To...@sas.com>.
First for webservices you don't want to use basic authentication... you want to use ws-security standard. And I experienced the same frustration that you are having... how do you integrate axis2 security into the containers security sandbox... as far as I can tell you can't. It appears that once you authenticated your web service with rampart module, you would then have to trigger the websphere security framework which would reauthenticate with these credentials and thereby produce a JAAS subject such that your business logic could use.
Otherwise, you go down the road of using basic authentication so that websphere can drive the authentication process implicilty... this is servlet based authentication and not web service based authentication.
I think you need to use the native websphere web service stack to do what you want. Please correct me if I am wrong.
> -----Original Message-----
> From: Chris Rose [mailto:chris.rose@messagingdirect.com]
> Sent: Wednesday, February 06, 2008 4:25 PM
> To: axis-user@ws.apache.org
> Subject: WebSphere 6.1 security and Axis2
>
> I am trying to deploy axis2 on WebSphere Application Server 6.1 in an
> enterprise application that contains additional EJB jars. I am able to
> invoke the web services with no difficulty (I can set breakpoints
> inside their implementations and see logging from our service
> implementation) so -- for the record -- Axis2 seems to be working as
> advertised.
>
> However, I have a problem, and I am hoping that someone with experience
> with Axis2 and WebSphere can point me down the path to fixing it.
>
> Our session beans -- to which we delegate for business logic from the
> web service facade -- require that the user be authenticated in the
> container. Not only is that a security concern, but we extract custom
> credentials from the Subject in order to do the work.
>
> The web services, however, despite my best effort, cannot be made to
> require authentication. I am not using ws-security, I am attempting to
> simply use HTTP basic authentication for the web application, but
> nothing I do can provoke WebSphere to provide me with a password
> request dialog for any of the servlets. I am testing this by
> navigating in a web browser to the service listing page, which simply
> bypasses all of the login modules defined in WEB_INBOUND in the
> container.
>
> Attached is the web.xml from the final, deployed axis2 WAR file. I
> would dearly like to know why this does not result in my being required
> to provide a password. If anyone can help me, I would be very
> grateful.
>
>
> --
> Chris Rose
> Developer Planet Consulting Group
> (780) 577-8433
> crose@planetci.com
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org