Reputation: 4940
Axis2 user authentication
Due to the ambition to keep the web services as stateless as possible, I've encountered a problem. I recently started to work with Axis2 and have tried to find a viable authentication solution. With authentication, I mean user/password. I am already using SSL in combination with WS-Policy to secure the procedure calls.
However, I found some of the samples bundled with Rampart 1.6.2 to be outdated, especially the policy example named "sample-tomcat" and their WSPasswordCallback handler (found here). WSPasswordCallback.USERNAME_TOKEN_UNKNOWN is deprecated in 1.6 and WSPasswordCallback.getPassword() always return null, even though a password is supplied within the UsernameToken element in the security headers of the message.
So. I'm unsure where to proceed to get a username/password check for every message. I am looking at these two options:
Writing a module with a handler that performs username/password authentication.
Giving up statelessness and writing a login-service returning tokens needed by all other services.
Are there other options?
Upvotes: 2
Views: 1491
Answers (1)
Reputation: 4940
Actually, according to WSS4J developer Colm O Heigeartaigh, it was more strange before the change to work with validator interfaces, see his first, his second and his third blog posts about the new validator design in WSS4J 1.6.
The WSPasswordCallback shouldn't handle authentication, it is thought of as bad design and against separation of concerns, and therefor they (WSS4J developers) rewrote this part of WSS4J.
However, as far as I know, Rampart dev team haven't yet implemented a way for developers to apply custom validators, nor is there a way to apply WSS4J validators such as the NoOpValidator - even though it's available in WSS4J. There is an issue registered in their (Rampart's) project JIRA (read it here), but it has a low priority and as of the moment this is being written; that issue is not included in the next minor (1.6.3) or major (1.7.0) release.
So, you will have to do either of following three things, in order of my own preference:
- Use transport layer based authentication ,I would recommend auth headers with HTTPS transport.
- Downgrade Axis2 and Rampart to 1.5.x, which is still maintained (critical bug fixes).
- Edit source of wss4j and compile a new jar.
- Write a module for Axis2 that solves this.
If there are additional solutions/workarounds, please feel free to comment/correct me.
Upvotes: 1
Related Questions
- wsdl2java with Basic Authentication (Axis 1.6.1)
- AXIS2 Java Client for a SOAP wsdl with basic authentication
- Adding User/Password to SOAPHeader for WebService client call with AXIS2
- How to add Basic authentication in Apache Axis Web Service (SOAP)?
- Axis2 working with even BASIC authentication
- How to add basic authentication to a Axis2 service?
- axis2 client NTLM authentication
- Web Service login system
- How to authenticate by user name and password in an Axis2 WebService?
- Java Web Service session management