tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Gallimore <jonathan.gallim...@gmail.com>
Subject Re: Securing a webservice
Date Sat, 28 Feb 2009 18:31:31 GMT
I spent a bit more time looking at this - and added a bit more code. I
noticed that the Jaxb tree for openejb-jar.xml has some webservice security
attributes that we aren't using, but I think Geronimo is. I've added support
that does simple username/password authentication using basic http
mechanism, and an interceptor to do username/password auth using WS-Security
headers.

I've uploaded a patch to
http://people.apache.org/~jgallimore/webservices.diff. I be grateful on
anyone's thoughts. Its pretty basic at the moment, but I think it would be
nice if this could go into OpenEJB - if others agree, I'd like to open a
JIRA and do some more work on it.

I've copied this to the dev@ list too in case anyone who might be interested
missed it, hope that's ok.

Cheers

Jon

On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> Hi Jean-Louis,
>
> Many thanks for your detailed reply and the link to the article. I'll be
> having a good look at this over the weekend. I had initially thought just
> applying basic auth was all there was to it, which is probably a bit naive
> of me!
>
> I think it would be worthwhile working out whether there's some samples
> (and maybe some enhancements) we could add to OpenEJB in this regard - I'm
> sure others would find it useful too.
>
> Cheers,
> Jon
>
>
> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
> jean-louis.monteiro@atosorigin.com> wrote:
>
>>
>> Jonathan,
>>
>> Here are some inputs.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > Obviously I think it would be great if the standalone and embedded
>> servers
>> > which use their own HTTP listener could accept credentials via basic
>> > authentication, meanwhile Tomcat could do the authentication for us
>> based
>> > on
>> > however its been configured (currently it looks like a new
>> StandardContext
>> > is created for each webservice, and there is code to setup
>> authentication,
>> > but WsService.authMethod was always null when I debugged it, causing no
>> > authentication to be applied, and I couldn't see how it could be set
>> > otherwise), and the user and role principals could be passed through
>> from
>> > Tomcat to the relevant EJB container.
>> >
>> Definitively! (nice to have ;-)).
>> Doing basic authentication (without ws-security) seems to be possible
>> using
>> JAX-WS handlers.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > To give a bit more background on how this has come about - my colleague
>> at
>> > work has been working on some functionality as an EJB, and felt it would
>> > be
>> > nice to have it available as a webservice - and adding the @WebService
>> > annotation to the EJB seemed to be a nice idea, rather then creating a
>> > webservice as a separate class that just delegates through to the EJB as
>> > you
>> > describe -
>> >
>> I was probably not so clear.
>> It seems to me, from an architecture point of view, it's better to use web
>> services as facades. They are personal concerns you know ;-)
>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice)
>> which delegates to other business EJB and it works fine with OpenEJB for
>> simple cases.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > and we hoped the container would handle the authentication for
>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this
>> for
>> > us,
>> > however OpenEJB doesn't at the moment - I don't actually know if this is
>> > even supposed to work (or even whether its part of any of the JEE spec -
>> > I'll have to read up!).
>> >
>> I can't help you on this topic (not read this part of the spec).
>> If you have 10 minutes, here is an interesting article
>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > I think I should probably have a look at WS-Security - I'd be very
>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if
>> you're
>> > putting one together.
>> >
>>
>> OK, I've done some tests since yesterday morning. But, the way OpenEJB
>> publishes EJB as web services does not allow configuring ws-security.
>>
>> When using CXF + WS-Security, it's quite simple: add a WSS4J InInterceptor
>> and a WSS4J OutInterceptor giving them a set of properties. Interceptors
>> can
>> be configured using both a Spring application context or CXF annotations
>> (@InInterceptors @OutInterceptor).
>>
>> At a JAX-WS point of view we only have handlers (soap handlers and logical
>> handlers) so I have to spend some more time to look if we can manage
>> WS-Security using handlers.
>>
>> More coming soon ;-)
>>
>> Kind regards,
>> Jean-Louis
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message