We have a Java 1.4 web service running on AIX 5. We want to have the web service methods execute under the context of the caller, not the hosting web server. How would we go about this?
+1
A:
You should be able to perform JAAS authentication (just like a normal J2EE web application), which will establish the principals associated with the subject. The container automatically ensures that the current worker thread is associated with the identified subject. The subject and its principals are also propagated down to the service/business tier as is the case with a normal servlet.
It might also be worthwhile to determine the web service security features of the underlying application server, as it might offer more features than the basic/digest/form authentication functionality that is present in JAAS. For example, WebLogic Server allows for certificate based authentication of web service clients (with some configuration involved), and that might be true of the application server that you're using as well. Usually, the container security features will ride on top of JAAS and the related security features in J2EE 1.4, thereby ensuring that the J2EE security features used in the other sections of the application will continue to perform as expected.
Vineet Reynolds
2010-07-27 03:45:28