I am thinking about having a look at this issue and just
wanted to bring up some ideas here. The reason I am looking
at this is because although there is a solution based on
using EJB endpoints there is still a consistent demand for
this capability for POJO endpoints.
We currently have the following unscheduled issue: -
http://ji
ra.jboss.org/jira/browse/JBWS-1999
I have seen the contributed code but this does not integrate
with our current WS-Security handlers so I am proposing a
more integrated solution.
My idea would be to re-open the following issue to allow the
UsernameToken to be set as a requirement on the incoming
message: -
http://ji
ra.jboss.org/jira/browse/JBWS-1136
The configuration should have an attribute
'authenicate=true', if set we can make use of the
programatic web authentication available from JBoss
4.2.0.GA: -
http://w
iki.jboss.org/wiki/WebAuthentication
In addition to this the configuration could then contain a
set of the allowed roles to call the endpoint and if this is
set after the authentication we could use isCallerInRole to
verify if the user is in the allowed role.
The use of the WebAuthentication above does mean that we can
mainly use the standard servlet APIs after the
authentication and this change would be achieved with a
small amount of additional configuration, as we have
authenticated then this will still be propagated to the
calls to any subsequent EJBs.
I will need to consider the implications of this if a user
enables it for an EJB endpoint as it does depend on the web
app having a security domain but the primary purpose of this
change is for POJO endpoints and not EJB endpoints.
View the original post : http://www.jboss.com/index.html?
module=bb&op=viewtopic&p=4146806#4146806
Reply to the post : http://www.jboss.com/index.
html?module=bb&op=posting&mode=reply&p=4146806
_______________________________________________
jbossws-dev mailing list
jbossws-dev lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jbossws-dev
|
