3 Replies Latest reply on Oct 31, 2008 4:49 AM by yousuf.raza

    Propagate security context to second webservice call

    yousuf.raza

      I have configured a sample prototype application that deploys a WebService (EJB endpoint) to JBoss 4.3 which is secured against my security domain using WS-Security (using UserNameToken.)

      If the client provides the correct credentials the principal is set correctly.

      My question is if I want to make a second WebService call from the first one is there a way I can propagate the security context without having to provide some credential information like this:

      ((BindingProvider)webserviceApi).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, WebServiceConstants.USERNAME);

      ((BindingProvider)webserviceApi).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, WebServiceConstants.PASSWORD);


      Basically what I have in mind is something where the subsequent webservice call automatically adds the required ws-security header fields in the next request.

      For eg. This would be similar to the case where if I were to make a call on a EJB from the webservice that was protected against the same security domain the container would handle the propagation of the security context.

      Here is the flow I am talking about if I wasn't clear enough:

      Client --> 1st Webservice --> 2nd Webservice


      There is some documentation about doing this if using acegi security(spring security) but I was wondering if Jbossws does this somehow.