Have Geek Brain

How to send username between web service requests?

Basically the problem is this:
There is a database stored procedure that takes a username as an argument and produces some XML data depending on that. It is called by a method with no arguments in an unsecured web service (let's call the WS WS of the web service). There is also another web service (call WSB) that should call WSA. In this setup, WSA should only ever invoke WSB and never by anyone else. WSB is what users call and this is how they get the required XML data. The web services are deployed to OC4J and have security enabled. The WSB is protected by OC4J and can be accessed by specifying the OC4J username and password.
When testing a web service, OC4J provides you with a form where you can enter your login details before calling the web service. If you want to include security information in the header and view the message before calling the service, the message will include the username and password.
My problem is that I cannot get the security information (or at least the username) to reach the endpoint implementation and call the stored procedure. So far I created the WSA, made a web service proxy that references it, and created a proxy based WSB. What I have tried so far to get the username (and why it doesn't work):

  • If WSA implements javax.xml.rpc.server.ServiceLifecycle

    . This provides the WSA with an instance javax.xml.rpc.server.ServletEndpointContext

    that it provides to me java.security.Principal

    . However Principal

    null

    , if I call WSB (which in turn calls WSA). If I secure the WSA and call it directly, Pricipal

    it is not null and contains the user (but it doesn't solve the problem because I need to call WSB, not WSA).

  • Created handlers (extension javax.xml.rpc.handler.GenericHandler

    ) for both services to process the message. It really puzzled me. The handler methods are called correctly - the WSB handler processes the request, then the WSA handler processes the request, then the WSA handler processes the response, and finally the WSB handler processes the response. But when I tried to print the messages to a file at each step, I found out that even in the first step (when WSB processes the request) there is no security information in the message. No username, nothing. The message is indeed very different from what is shown on the call page when previewing the request message before calling the service.

  • Tried injecting an instance WebServiceContext

    using annotation @Resource

    but apparently OC4J doesn't support that.

If anyone can shed some light on where I could do something, I would be very grateful.

+1


a source to share


1 answer


The problem is that "WSA is called by a method with no arguments in an insecure web service." So there is no security context for WSA to get user id from ...

The simplest solution would be to change the WSA API to accept the user ID in the request parameters.



NTN Tom

+1


a source






More articles:


All Articles