1 Reply Latest reply on Apr 22, 2007 9:54 PM by Mark Sim-Smith

    JAAS integration w/ 3rd party webservice stack

    Tony Dean Newbie

      Hi,
      I am using Axis2/rampart webeservice/security stack. The rampart module of Axis2 will perform WS-Security logistics. However, it knows nothing about how to integrate with the container's security infrastructure. Therefore, if rampart presents me with a userid/password from processing webservice security headers, I would like to be able to hand it over to the JBoss security infrastructure and let it perform JAAS authentication with the configured security domain. It looks as easy as doing the following:

      Context securityCtx = InitialContext iniCtx = new InitialContext();
      securityCtx = (Context) iniCtx.lookup("java:comp/env/security");

      SubjectSecurityManager securityMgr = (SubjectSecurityManager)
      securityCtx.lookup("securityMgr");

      Principal principal = new SimplePrincipal(username);
      Subject subject = new Subject();
      if (securityMgr.isValid(principal, credentials, subject)) {
      // success
      }

      Is that all there is? If success then I should be able to use the JAAS subject that will have been populated by the configured loginModules.

      I need to investigate JBoss's own webservice stack, JBossWS. Any comparison between JBossWS and Axis2 would be appreciated. Anyway, I'm guessing JBossWS does would need to perform similar actions for WS-Security integration into the JBoss JAAS framework. Is this what they do? Can someone point me to the integration code? I want to do something portably.

      Thank you for any insight.
      -Tony

        • 1. Re: JAAS integration w/ 3rd party webservice stack
          Mark Sim-Smith Newbie

          Hi saspad,

          I think that the answer is in fact even easier, using standard JAAS:

          LoginContext loginContext = new LoginContext(JAAS_MODULE_NAME, new UsernamePasswordHandler(username, passwordCharArray));
          loginContext.login();
          try {
          // Do stuff here...
          } finally {
          loginContext.logout();
          }

          The UsernamePasswordHandler is a simple JBoss class in org.jboss.security.auth.callback, and LoginContext is in javax.security.auth.login.

          This will use the standard JBoss authentication stuff including your configured LoginModules.

          Cheers,

          Mark