2 Replies Latest reply on Aug 17, 2009 10:47 AM by fejesjoco

    webservive form-like authentication

      I would like to create a JBossWS webservice with a very specific authentication scheme, it's like securing a webservice like a website with form authentication. We want a login(...) webmethod (or several of them). When a client calls it and the authentication succeeds, we store that information (username, roles) in the session. All other webmethods would be declaratively secured like with @RolesAllowed. I haven't implemented anything yet, I'm only planning now.

      I believe that in the endpoint class, I can get a @Resource WebServiceContext, and after that, in the login(...) method I can get the MessageContext, and then the HttpServletRequest, and then the HttpSession. This login(...) method is unsecured, so anyone can call it, we log them in and the client automatically receive a session cookie.

      What I don't know how to do is this: I want JBoss to ask me before every webservice method invocation who the currently logged in user/Principal is and what roles they have. In this callback I would look at the session and return to JBoss the information that the login method stores in the session. So if I wanted to call WebServiceContext.getUserPrincipal, the principal would appear there, somehow magically, because there's no setUserPrincipal. And I believe that once a Principal is associated to the current request (or maybe the session, automatically), the @RolesAllowed annotation would work as expected.

      Is there any extension point that lets me do this? So far I've only come up with some poor workarounds. I think I could create a GenericSOAPHandler, it knows what I want: it does execute before every request and it does have access to the session in the function handleInbound(MessageContext msgContext). I could throw an exception from there if the session is empty, but that's far from role-based security. Or, naturally, I have access to the session in all of the webmethods, so I could call an isInRole function at the start of every method, but that's much worse than doing the same thing declaratively.

      I have no doubt that associating a principal+roles with a session is the only viable way for me. So is it possible? Please don't suggest WS-Security or basic authentication or things like that, requirements say we can't use that, it has to be with sessions+cookies (we're porting the server from .NET, yay, but the clients will have to stay the same).

        • 1. Re: webservive form-like authentication

          One more thing, the application server is running JBoss 4.2.3 and JBossWS 3.0.5, although if there's no other way, I might be able to convince management to upgrade.

          • 2. Re: webservive form-like authentication

            Alternatively, if I can't get JBoss to ask me who the currently logged in user is, can I explicitly tell it, like in a GenericSOAPHandler, xxx.yyy.setPrincipal()? Or where can I find information about a requests processing order? For example it would be good to know if session state is established BEFORE checking the @RolesAllowed declarative security.