I would like to create a JBossWS webservice with a very specific authentication scheme,
it's like securing a webservice like a website with form authentication. We want a
login(...) webmethod (or several of them). When a client calls it and the authentication
succeeds, we store that information (username, roles) in the session. All other webmethods
would be declaratively secured like with @RolesAllowed. I haven't implemented anything
yet, I'm only planning now.
I believe that in the endpoint class, I can get a @Resource WebServiceContext, and after
that, in the login(...) method I can get the MessageContext, and then the
HttpServletRequest, and then the HttpSession. This login(...) method is unsecured, so
anyone can call it, we log them in and the client automatically receive a session cookie.
What I don't know how to do is this: I want JBoss to ask me before every webservice
method invocation who the currently logged in user/Principal is and what roles they have.
In this callback I would look at the session and return to JBoss the information that the
login method stores in the session. So if I wanted to call
WebServiceContext.getUserPrincipal, the principal would appear there, somehow magically,
because there's no setUserPrincipal. And I believe that once a Principal is associated
to the current request (or maybe the session, automatically), the @RolesAllowed annotation
would work as expected.
Is there any extension point that lets me do this? So far I've only come up with some
poor workarounds. I think I could create a GenericSOAPHandler, it knows what I want: it
does execute before every request and it does have access to the session in the function
handleInbound(MessageContext msgContext). I could throw an exception from there if the
session is empty, but that's far from role-based security. Or, naturally, I have
access to the session in all of the webmethods, so I could call an isInRole function at
the start of every method, but that's much worse than doing the same thing
declaratively.
I have no doubt that associating a principal+roles with a session is the only viable way
for me. So is it possible? Please don't suggest WS-Security or basic authentication or
things like that, requirements say we can't use that, it has to be with
sessions+cookies (we're porting the server from .NET, yay, but the clients will have
to stay the same).
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4249952#...
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...