users@glassfish.java.net

Re: [Fwd: iiop over http] Using wsse:Usernametoken for role-based authorization

From: Shing Wai Chan <Shing-Wai.Chan_at_Sun.COM>
Date: Thu, 15 Feb 2007 11:49:56 -0800

jon_c wrote:
> Okay, to partially answer my own question, I seem to see what is tripping me
> up on this..
>
> I had a file realm with 'user1' belonging to group 'group1'. In my
> deployment descriptor, I had this:
> <security-role-mapping>
> <role-name>abc</role-name>
> <group-name>group1k</group-name>
> </security-role-mapping>
>
> I was expecting sessionContext.getCallerPrincipal().getName() to give me
> "user1", since that is what was in the username token of my SOAP message.
> Instead it gives me "CN=user1". I'm assuming that this is why my
>
In message-layer-security, wsse:UsernameToken uses a different
convention in name token.
You need to have that "CN=" for all wsse principal names.
> authorization was failing, since if I add
> <principal-name>CN=user</principal-name> to my decriptor, it seems to work.
> Can anybody tell me why this is? Or point me to an appropriate resource?
>
> Thank you,
>
>
> jon_c wrote:
>
>> Glassfish/Java EE newbie question.. Apologies in advance.
>>
>> I'm trying to figure if there is a straightforward way to use
>> message-layer credentials (i.e. wsse:UsernameToken from SOAP header) to
>> perform authorization in my Web-Service (role-based permissions on my
>> service Web Methods). In this case, the web service, which is deployed in
>> the EJB-container, might look something like this:
>>
>> @WebService
>> public class Service{
>>
>> @WebMethod
>> @RolesAllowed("abc")
>> public String helloWorld(){
>> return "Hello World"
>> }
>> }
>>
>>
>> Authenticating against the users in a realm seems pretty straight-froward
>> with XWS, but I'm having difficulty getting the authorization part to
>> work. Am I barking up the wrong tree? I can get it to work just fine
>> using HTTP authentication, but would rather use the SOAP message so that I
>> can have well integrated message-layer and application-layer security. Is
>> it possible? practical?
>>
>> Thank you,
>> Jon
>>
>>
>
>