You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Dirk-Willem van Gulik <di...@covalent.net> on 2001/07/31 18:30:26 UTC
RE: cvs commit: xml-axis/java/src/org/apache/axis/security Authen
ticatedUser.java SecurityProvider.java
This is a very nice patch. I think eventually we need to go a lot more
fine grained. Let me check with the home office to see if I can grab this
ball for a bit. Esp. when it comes to web sercurity.
Dw
On Tue, 31 Jul 2001, Doug Davis wrote:
> Definitely - service level (or even finer - method level) would be the
> way to go. Are there any Web security experts among us?
> -Dug
>
>
> Glen Daniels <gd...@macromedia.com> on 07/31/2001 11:14:41 AM
>
> Please respond to axis-dev@xml.apache.org
>
> To: "'axis-dev@xml.apache.org'" <ax...@xml.apache.org>
> cc:
> Subject: RE: cvs commit: xml-axis/java/src/org/apache/axis/security Authen
> ticatedUser.java SecurityProvider.java
>
>
>
>
> +1
>
> I just checked these in as a strawman. I wasn't planning to implement
> anything based on these until a) post-alpha, and b) some discussion had
> occurred.
>
> I agree that integrating with built-in security is the way to go where
> possible. There are some interesting questions about how security domains
> are mapped to resources, i.e. whether we want to lock security to the
> servlet level, say, and then have one servlet per service.... I think we
> probably want some kind of generic system to handle per-web-service (or
> even
> per-method) security even when the transport (i.e. SMTP) and the backend
> (simple java class) don't support it.
>
> I'll pull these interfaces until further discussion ensues. Let's focus on
> getting the alpha out.
>
> --G
>
> > -----Original Message-----
> > From: Doug Davis [mailto:dug@us.ibm.com]
> > Sent: Tuesday, July 31, 2001 10:35 AM
> > To: axis-dev@xml.apache.org
> > Subject: Re: cvs commit: xml-axis/java/src/org/apache/axis/security
> > AuthenticatedUser.java SecurityProvider.java
> >
> >
> > I think this might warrant some kind of design discussion
> > (on the mailing list) before we go too far. When people think
> > about Web resources (servlets, JSPs...) each one does not
> > define it's own way of doing security/authentication. They tend
> > to use the built-in functions of the Application Server they
> > are running in (either directly or implicitly thru configuration).
> > Perhaps it would make more sense to look at Web services in the
> > same way and see if we could leverage the same mechanisms that
> > are already used/tested/proven. Maybe a more knowledgeable J2EE
> > person could give some input on this?
> > -Dug
> >
> >
> > gdaniels@apache.org on 07/31/2001 08:39:06 AM
> >
> > Please respond to axis-dev@xml.apache.org
> >
> > To: xml-axis-cvs@apache.org
> > cc:
> > Subject: cvs commit: xml-axis/java/src/org/apache/axis/security
> > AuthenticatedUser.java SecurityProvider.java
> >
> >
> >
> > gdaniels 01/07/31 05:39:06
> >
> > Added: java/src/org/apache/axis/security
> > AuthenticatedUser.java
> > SecurityProvider.java
> > Log:
> > Check in first versions of security interfaces - no
> > implementations yet.
> >
> > Revision Changes Path
> > 1.1
> > xml-axis/java/src/org/apache/axis/security/AuthenticatedUser.java
> >
> > Index: AuthenticatedUser.java
> > ===================================================================
> > /*
> > * The Apache Software License, Version 1.1
> > *
> > *
> > * Copyright (c) 2001 The Apache Software Foundation. All rights
> > * reserved.
> > *
> > * Redistribution and use in source and binary forms, with
> > or without
> > * modification, are permitted provided that the following
> > conditions
> > * are met:
> > *
> > * 1. Redistributions of source code must retain the above copyright
> > * notice, this list of conditions and the following disclaimer.
> > *
> > * 2. Redistributions in binary form must reproduce the
> > above copyright
> > * notice, this list of conditions and the following
> > disclaimer in
> > * the documentation and/or other materials provided with the
> > * distribution.
> > *
> > * 3. The end-user documentation included with the redistribution,
> > * if any, must include the following acknowledgment:
> > * "This product includes software developed by the
> > * Apache Software Foundation (http://www.apache.org/)."
> > * Alternately, this acknowledgment may appear in the
> > software itself,
> > * if and wherever such third-party acknowledgments
> > normally appear.
> > *
> > * 4. The names "Axis" and "Apache Software Foundation" must
> > * not be used to endorse or promote products derived from this
> > * software without prior written permission. For written
> > * permission, please contact apache@apache.org.
> > *
> > * 5. Products derived from this software may not be called
> > "Apache",
> > * nor may "Apache" appear in their name, without prior written
> > * permission of the Apache Software Foundation.
> > *
> > * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
> > * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> > * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> > * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
> > * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> > * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> > * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
> > * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
> > CAUSED AND
> > * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> > LIABILITY,
> > * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
> > ANY WAY OUT
> > * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> > POSSIBILITY OF
> > * SUCH DAMAGE.
> > *
> > ====================================================================
> > *
> > * This software consists of voluntary contributions made by many
> > * individuals on behalf of the Apache Software Foundation.
> > For more
> > * information on the Apache Software Foundation, please see
> > * <http://www.apache.org/>.
> > */
> >
> > package org.apache.axis.security;
> >
> > /** A small (mostly marker) interface for wrapping provider-specific
> > * user classes.
> > *
> > * @author Glen Daniels (gdaniels@macromedia.com)
> > */
> > public interface AuthenticatedUser
> > {
> > /** Return a string representation of the user's name.
> > *
> > * @return the user's name as a String.
> > */
> > public String getName();
> > }
> >
> >
> >
> > 1.1
> > xml-axis/java/src/org/apache/axis/security/SecurityProvider.java
> >
> > Index: SecurityProvider.java
> > ===================================================================
> > /*
> > * The Apache Software License, Version 1.1
> > *
> > *
> > * Copyright (c) 2001 The Apache Software Foundation. All rights
> > * reserved.
> > *
> > * Redistribution and use in source and binary forms, with
> > or without
> > * modification, are permitted provided that the following
> > conditions
> > * are met:
> > *
> > * 1. Redistributions of source code must retain the above copyright
> > * notice, this list of conditions and the following disclaimer.
> > *
> > * 2. Redistributions in binary form must reproduce the
> > above copyright
> > * notice, this list of conditions and the following
> > disclaimer in
> > * the documentation and/or other materials provided with the
> > * distribution.
> > *
> > * 3. The end-user documentation included with the redistribution,
> > * if any, must include the following acknowledgment:
> > * "This product includes software developed by the
> > * Apache Software Foundation (http://www.apache.org/)."
> > * Alternately, this acknowledgment may appear in the
> > software itself,
> > * if and wherever such third-party acknowledgments
> > normally appear.
> > *
> > * 4. The names "Axis" and "Apache Software Foundation" must
> > * not be used to endorse or promote products derived from this
> > * software without prior written permission. For written
> > * permission, please contact apache@apache.org.
> > *
> > * 5. Products derived from this software may not be called
> > "Apache",
> > * nor may "Apache" appear in their name, without prior written
> > * permission of the Apache Software Foundation.
> > *
> > * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
> > * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> > * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> > * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
> > * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> > * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> > * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
> > * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
> > CAUSED AND
> > * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> > LIABILITY,
> > * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
> > ANY WAY OUT
> > * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> > POSSIBILITY OF
> > * SUCH DAMAGE.
> > *
> > ====================================================================
> > *
> > * This software consists of voluntary contributions made by many
> > * individuals on behalf of the Apache Software Foundation.
> > For more
> > * information on the Apache Software Foundation, please see
> > * <http://www.apache.org/>.
> > */
> >
> > package org.apache.axis.security;
> >
> > /** The Axis security provider interface
> > *
> > * As Axis is designed for use in embedded environments, those
> > * environments will often contain their own security databases and
> > * potentially authentication managers. This interface allows Axis
> > * to obtain authentication information from an opaque source which
> > * will presumably be configured into the engine at startup time.
> > *
> > * @author Glen Daniels (gdaniels@macromedia.com)
> > */
> > public interface SecurityProvider
> > {
> > /** Authenticate a user from a username/password pair.
> > *
> > * @param username the user name to check
> > * @param password the password to check
> > * @return an AuthenticatedUser or null
> > *
> > * NOTE: Since the classes implementing this are going
> > to need to
> > * be Axis-aware anyway, we might just pass the MessageContext
> > * here instead, and let the provider authenticate
> > against whatever
> > * it wants...?
> > */
> > public AuthenticatedUser authenticate(String username, String
> > password);
> >
> > /** See if a user matches a principal name. The name
> > might be a user
> > * or a group.
> > *
> > * @return true if the user matches the passed name
> > */
> > public boolean userMatches(AuthenticatedUser user,
> > String principal);
> > }
> >
> >
> >
> >
> >
>
>
>