<h1>Securing your Web Services with JBoss.net</h1>

<p>  
<img SRC="../../../../../modules/html/developers/guides/jboss.net/jboss-net.png" align=LEFT>
JBoss.net currently connects the transport-level security facilities of Apache 
Axis to the JBoss security subsystem. For that purpose, we have implemented 
two handlers to be placed into the requestflow of your webservice to be 
shielded: <code>org.jboss.net.axis.server.JBossAuthenticationHandler</code> 
and <code>org.jboss.net.axis.server.JBossAuthorizationHandler</code>.</p>

<p>
<cite>
<a href="../../../../../modules/html/developers/guides/jboss.net/secure-web-service.xml">Example wsdd</a> 
demonstrating the combined use of authentication and authorization handlers.
</cite>
</p>

<p> JBossAuthenticationHandler will map the basic authentication data that 
Axis already has extracted from the chosen transport, e.g., by a 
preceeding <code>org.apache.axis.transports.http.HTTPAuthHandler</code> 
to a given JBoss security domain (specified as a JNDI name in the 
handlers "securityDomain" parameter). If you are
providing an <a href="../../../developers/guides/jboss.net/ejb">EJB-based web service</a> 
such as in our example above, the thus associated authentication data will 
be used by the JBoss EJB invocation stack  when being routed the 
deserialized call.
</p>

<p> 
Hint: Some web service implementations, such as the M$ Soap Toolkit do not 
send basic authentication data until the server will present them a 401 message. 
To ensure that the JBossAuthenticationHandler will not route an unauthenticated 
call with a "null" security association further down the line, but notify 
the client, you should set the "validateUnauthenticatedCalls" 
option to "false". See 
<a href="http://www.nsdev.org/jboss/stories/jboss-net.html">Neal Sanches investigations about that topic</a>.
</p>

<p> 
The JBossAuthorizationHandler can 
be inserted in case that your provider implementation
is not secured by itself or you want to add
additional security restrictions. It mimics a unix-style 
allow/denied roles authorization scheme (parameter
"securityDomain" as before, parameters "allowedRoles" and "deniedRoles" 
for controlling access to the specified web service. See the servers 
axis-config.xml for that purpose.
</p>

<p> 
Both handler configurations can be auto-generated using the
<a href="../../../developers/guides/jboss.net/xdoclet">jboss.net xdoclet module</a>. 
</p>

<p> 
It is planned to extend jboss.net also to content-based security measures, 
such as <a href="http://www.w3.org/Signature/">XML Signature</a> 
and 
<a href="http://www.w3.org/Encryption/2001/">XML Encryption</a> 
(the overall specification is called <a href="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss">Web Services Security</a>).
</p>

<p>"Dr. Schorsch" (<a ref="mailto:christoph.Jung@jboss.org">christoph.jung@jboss.org</a>) - 2001/09/29, Last update on 2003/10/15</p>

<p><small>All mentioned trademarks on this page are 
copyright of their respective owners ... like that ... </small></p>

