5 Replies Latest reply on Mar 17, 2005 12:02 AM by jason.greene

WS security and non-java clients

singular_droid Mar 11, 2005 4:01 AM

Hi all!
I'm trying to secure my WS with JAAS. The problem is that my WS is accessed both by java and non-java clients. Java clients are succesfully authenticated with JAAS, but I don't know the simple way to tell my non-java client to authenticate with JAAS.
First, the only one thing is needed(as I think) is to include into the SOAP-message header like this one:

 <soapenv:Header>
 <jbws:username actor="http://webservice.jboss.com/ws4ee/login" xmlns:jbws="http://webservice.jboss.com/ws4ee">scott</jbws:username>
 <jbws:password actor="http://webservice.jboss.com/ws4ee/login" xmlns:jbws="http://webservice.jboss.com/ws4ee">tiger</jbws:password>
 </soapenv:Header>

As I understand this header is implicitly included into client's SOAP message wich was sent to WS. But there is the explicit way to tell all clients to include such header into message - add lines like this(bold) in WSDL file of my WS:

...
<wsdl:operation name="helloName">
<wsdlsoap:operation soapAction=""/>
 <wsdl:input name="helloNameRequest">
<wsdlsoap:header message="lalala"
 part="request_header_lalala" use="literal"/>
<wsdlsoap:body namespace="http://interfaces.zenith.ru" use="literal"/>
</wsdl:input>
...

Is my "manually" constructed auth header enough to put server-side JAAS auth to work with non-java clients or not?(maybe it sounds stupid but... I hope yes :))

1. Re: WS security and non-java clients

jason.greene Mar 13, 2005 12:03 PM (in response to singular_droid)

For better portability take a like at using HTTP basic auth. Take a look at the wiki for how:

http://www.jboss.org/wiki/Wiki.jsp?page=WSSecureEndpoint

-Jason
Actions
2. Re: WS security and non-java clients

singular_droid Mar 14, 2005 4:52 AM (in response to singular_droid)

Mmmmmm
Basic auth is good but it doesn't work when i have a number of proxy between my ws and client.
Cause the authentication information in this situation is added to the http header, which can be modified by proxies, while the soap part of message is always unchanged.
Actions
3. Re: WS security and non-java clients

jason.greene Mar 15, 2005 4:40 PM (in response to singular_droid)

Then yes, if you can replicate the headers with your non-java client it will work.

-Jason
Actions
4. Re: WS security and non-java clients

singular_droid Mar 16, 2005 8:59 AM (in response to singular_droid)

Thanks a lot. And there is no way to include info about auth-header into wsdl of ws in deploy-time?
Actions
5. Re: WS security and non-java clients

jason.greene Mar 17, 2005 12:02 AM (in response to singular_droid)

You could define a soap:header element in your wsdl but you would have to define a schema element type that replicated the jbws tags exactly (including the soap:actor attribute). However, the problem you are going to have is how you actually bind to those parameters in whatever non-java client you are using. Another route to take, if your non-java client api supports this, is to write a handler that modifies the message to include the appropriate tags.

-Jason
Actions

Go to original post