Can a service support both Basic Auth and Rampart Auth?

[Sanjay Vivek <Sa...@newcastle.ac.uk>]

Hi everyone,

Is it possible to deploy a service that uses either Basic Auth or
Rampart Auth? Basically the service has to figure out if the client that
invokes it is based on Basic Auth or Rampart Auth. I haven't delved too
deeply into this yet but I envisage this being done by getting at the
HttpServletRequest object that carries the SOAP request (in the case of
Basic Auth) and WSHandlerConstants.RECV_RESULTS (in the case of Rampart
Auth). I have a couple of questions regarding this scenario.

Firstly, is it possible to configure a policy based Rampart service to
only perform authentication if the client is Rampart enabled? I suppose
this would be defined in the services.xml file. So if the client isn't
Rampart enabled, the service will accept the client anyway. I realise
this isn't very secure but I'm hoping the clients that aren't Rampart
enabled can be authenticated using Basic Auth instead. 

My second question is regarding Basic Auth. Setting up Basic Auth for a
service required editing the Axis2 web.xml file for incoming Web Service
calls in the following manner:

       <security-constraint>
		<web-resource-collection>
			<url-pattern>/services</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>user</role-name>
		</auth-constraint>
	</security-constraint>

	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>

	<security-role>
		<role-name>webservice</role-name>
	</security-role>

However, this configuration is totally different to a policy based
Rampart configuration. So I'm not sure how both setups will work. So
basically my question is whether its possible to have a service that
supports both Basic Auth and Rampart Auth? Any insight or pointers will
be very helpful. Cheers.

Regards
--------------
Sanjay Vivek
Web Analyst
Middleware Team
ISS
University of Newcastle Upon Tyne