WebSphere 6.1 security and Axis2

[Chris Rose <ch...@messagingdirect.com>]

I am trying to deploy axis2 on WebSphere Application Server 6.1 in an 
enterprise application that contains additional EJB jars.  I am able to 
invoke the web services with no difficulty (I can set breakpoints inside 
their implementations and see logging from our service implementation) 
so -- for the record -- Axis2 seems to be working as advertised.

However, I have a problem, and I am hoping that someone with experience 
with Axis2 and WebSphere can point me down the path to fixing it.

Our session beans -- to which we delegate for business logic from the 
web service facade -- require that the user be authenticated in the 
container.  Not only is that a security concern, but we extract custom 
credentials from the Subject in order to do the work.

The web services, however, despite my best effort, cannot be made to 
require authentication.  I am not using ws-security, I am attempting to 
simply use HTTP basic authentication for the web application, but 
nothing I do can provoke WebSphere to provide me with a password request 
dialog for any of the servlets.  I am testing this by navigating in a 
web browser to the service listing page, which simply bypasses all of 
the login modules defined in WEB_INBOUND in the container.

Attached is the web.xml from the final, deployed axis2 WAR file.  I 
would dearly like to know why this does not result in my being required 
to provide a password.  If anyone can help me, I would be very grateful.


-- 
Chris Rose
Developer    Planet Consulting Group
(780) 577-8433
crose@planetci.com

Re: WebSphere 6.1 security and Axis2

[Chris Rose <ch...@messagingdirect.com>]

Tony Dean wrote:
> First for webservices you don't want to use basic authentication... you want to use ws-security standard.  And I experienced the same frustration that you are having... how do you integrate axis2 security into the containers security sandbox... as far as I can tell you can't.  It appears that once you authenticated your web service with rampart module, you would then have to trigger the websphere security framework which would reauthenticate with these credentials and thereby produce a JAAS subject such that your business logic could use.

The WS-Security path is one that we'd like to follow, but not all of our 
clients are going to be able to do that, and to be honest I don't fully 
understand how we're supposed to implement that anyway.  It's on the 
list, but in the interim the servlets themselves should be protected.

> Otherwise, you go down the road of using basic authentication so that websphere can drive the authentication process implicilty...  this is servlet based authentication and not web service based authentication.

Right.  This is the road I want to follow for now.  My understanding of 
the servlet spec is that the web.xml I have provided SHOULD engage 
authentication, even if it's only piddly-ole BASIC auth.  So I'm trying 
to grok why it fails to do that.

> I think you need to use the native websphere web service stack to do what you want.  Please correct me if I am wrong.

I would expect, however, that you can use WebSphere's *servlet* stack to 
do authentication, which is what I wanted to do in the first place.  We 
have explicitly moved away from the container-specific web service 
implementations, because we support our application on three app 
containers right now, with the possibility of others later.

>> -----Original Message-----
>> From: Chris Rose [mailto:chris.rose@messagingdirect.com]
>> Sent: Wednesday, February 06, 2008 4:25 PM
>> To: axis-user@ws.apache.org
>> Subject: WebSphere 6.1 security and Axis2
>>
>> I am trying to deploy axis2 on WebSphere Application Server 6.1 in an
>> enterprise application that contains additional EJB jars.  I am able to
>> invoke the web services with no difficulty (I can set breakpoints
>> inside their implementations and see logging from our service
>> implementation) so -- for the record -- Axis2 seems to be working as
>> advertised.
>>
>> However, I have a problem, and I am hoping that someone with experience
>> with Axis2 and WebSphere can point me down the path to fixing it.
>>
>> Our session beans -- to which we delegate for business logic from the
>> web service facade -- require that the user be authenticated in the
>> container.  Not only is that a security concern, but we extract custom
>> credentials from the Subject in order to do the work.
>>
>> The web services, however, despite my best effort, cannot be made to
>> require authentication.  I am not using ws-security, I am attempting to
>> simply use HTTP basic authentication for the web application, but
>> nothing I do can provoke WebSphere to provide me with a password
>> request dialog for any of the servlets.  I am testing this by
>> navigating in a web browser to the service listing page, which simply
>> bypasses all of the login modules defined in WEB_INBOUND in the
>> container.
>>
>> Attached is the web.xml from the final, deployed axis2 WAR file.  I
>> would dearly like to know why this does not result in my being required
>> to provide a password.  If anyone can help me, I would be very
>> grateful.
>>
>>
>> --
>> Chris Rose
>> Developer    Planet Consulting Group
>> (780) 577-8433
>> crose@planetci.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
> 

-- 
Chris Rose
Developer    Planet Consulting Group
(780) 577-8433
crose@planetci.com

RE: WebSphere 6.1 security and Axis2

[Tony Dean <To...@sas.com>]

First for webservices you don't want to use basic authentication... you want to use ws-security standard.  And I experienced the same frustration that you are having... how do you integrate axis2 security into the containers security sandbox... as far as I can tell you can't.  It appears that once you authenticated your web service with rampart module, you would then have to trigger the websphere security framework which would reauthenticate with these credentials and thereby produce a JAAS subject such that your business logic could use.

Otherwise, you go down the road of using basic authentication so that websphere can drive the authentication process implicilty...  this is servlet based authentication and not web service based authentication.

I think you need to use the native websphere web service stack to do what you want.  Please correct me if I am wrong.

> -----Original Message-----
> From: Chris Rose [mailto:chris.rose@messagingdirect.com]
> Sent: Wednesday, February 06, 2008 4:25 PM
> To: axis-user@ws.apache.org
> Subject: WebSphere 6.1 security and Axis2
>
> I am trying to deploy axis2 on WebSphere Application Server 6.1 in an
> enterprise application that contains additional EJB jars.  I am able to
> invoke the web services with no difficulty (I can set breakpoints
> inside their implementations and see logging from our service
> implementation) so -- for the record -- Axis2 seems to be working as
> advertised.
>
> However, I have a problem, and I am hoping that someone with experience
> with Axis2 and WebSphere can point me down the path to fixing it.
>
> Our session beans -- to which we delegate for business logic from the
> web service facade -- require that the user be authenticated in the
> container.  Not only is that a security concern, but we extract custom
> credentials from the Subject in order to do the work.
>
> The web services, however, despite my best effort, cannot be made to
> require authentication.  I am not using ws-security, I am attempting to
> simply use HTTP basic authentication for the web application, but
> nothing I do can provoke WebSphere to provide me with a password
> request dialog for any of the servlets.  I am testing this by
> navigating in a web browser to the service listing page, which simply
> bypasses all of the login modules defined in WEB_INBOUND in the
> container.
>
> Attached is the web.xml from the final, deployed axis2 WAR file.  I
> would dearly like to know why this does not result in my being required
> to provide a password.  If anyone can help me, I would be very
> grateful.
>
>
> --
> Chris Rose
> Developer    Planet Consulting Group
> (780) 577-8433
> crose@planetci.com

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org