[jbossws-dev] [Design of JBoss Web Services] - UsernameToken authentication and authorization for POJO endp
darran.lofthouse@jboss.com
do-not-reply at jboss.com
Fri Apr 25 09:16:48 EDT 2008
I am thinking about having a look at this issue and just wanted to bring up some ideas here. The reason I am looking at this is because although there is a solution based on using EJB endpoints there is still a consistent demand for this capability for POJO endpoints.
We currently have the following unscheduled issue: -
http://jira.jboss.org/jira/browse/JBWS-1999
I have seen the contributed code but this does not integrate with our current WS-Security handlers so I am proposing a more integrated solution.
My idea would be to re-open the following issue to allow the UsernameToken to be set as a requirement on the incoming message: -
http://jira.jboss.org/jira/browse/JBWS-1136
The configuration should have an attribute 'authenicate=true', if set we can make use of the programatic web authentication available from JBoss 4.2.0.GA: -
http://wiki.jboss.org/wiki/WebAuthentication
In addition to this the configuration could then contain a set of the allowed roles to call the endpoint and if this is set after the authentication we could use isCallerInRole to verify if the user is in the allowed role.
The use of the WebAuthentication above does mean that we can mainly use the standard servlet APIs after the authentication and this change would be achieved with a small amount of additional configuration, as we have authenticated then this will still be propagated to the calls to any subsequent EJBs.
I will need to consider the implications of this if a user enables it for an EJB endpoint as it does depend on the web app having a security domain but the primary purpose of this change is for POJO endpoints and not EJB endpoints.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4146806#4146806
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4146806
More information about the jbossws-dev
mailing list