users@glassfish.java.net

Re: [Fwd: iiop over http] Using wsse:Usernametoken for role-based authorization

From: jon_c <jon.card_at_gmail.com>
Date: Thu, 15 Feb 2007 11:45:13 -0800 (PST)

Okay, to partially answer my own question, I seem to see what is tripping me
up on this..

I had a file realm with 'user1' belonging to group 'group1'. In my
deployment descriptor, I had this:
<security-role-mapping>
  <role-name>abc</role-name>
  <group-name>group1k</group-name>
</security-role-mapping>

I was expecting sessionContext.getCallerPrincipal().getName() to give me
"user1", since that is what was in the username token of my SOAP message.
Instead it gives me "CN=user1". I'm assuming that this is why my
authorization was failing, since if I add
<principal-name>CN=user</principal-name> to my decriptor, it seems to work.
Can anybody tell me why this is? Or point me to an appropriate resource?

Thank you,


jon_c wrote:
>
> Glassfish/Java EE newbie question.. Apologies in advance.
>
> I'm trying to figure if there is a straightforward way to use
> message-layer credentials (i.e. wsse:UsernameToken from SOAP header) to
> perform authorization in my Web-Service (role-based permissions on my
> service Web Methods). In this case, the web service, which is deployed in
> the EJB-container, might look something like this:
>
> @WebService
> public class Service{
>
> @WebMethod
> @RolesAllowed("abc")
> public String helloWorld(){
> return "Hello World"
> }
> }
>
>
> Authenticating against the users in a realm seems pretty straight-froward
> with XWS, but I'm having difficulty getting the authorization part to
> work. Am I barking up the wrong tree? I can get it to work just fine
> using HTTP authentication, but would rather use the SOAP message so that I
> can have well integrated message-layer and application-layer security. Is
> it possible? practical?
>
> Thank you,
> Jon
>

-- 
View this message in context: http://www.nabble.com/Using-wsse%3AUsernametoken-for-role-based-authorization-tf3231745.html#a8992322
Sent from the java.net - glassfish users mailing list archive at Nabble.com.