• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How do you implement Web Services security?

 
Dean Fredericks
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ive got a web service up and running.

Now i just relised that anybody who see's my WSDL can call the methods on my server.

How do I stop this, how do i authenticate users??

Whats the easiest way? Could somebody show me a code example of the client side and server side code needed. My server is Apache Tomcat with axis, and my client is a J2SE swing app wich calls methods on the stubs i generated from the WSDL.

I would really appriciate a dead simple example. I do not want to have to pass a user name and password as paramaters with each method call!!
 
Balaji Loganathan
author and deputy
Bartender
Posts: 3150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can have a look at this two links. its worth reading but it wont give you direct solution.
http://ws.apache.org/axis/java/security.html#AuthenticatingTheCaller
http://cvs.apache.org/viewcvs.cgi/ws-axis/java/samples/security/
 
Dean Fredericks
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That didnt really help me. Im hoping to hear something like add something to my web.xml on tomcat, and then do something on the client code...

Every answer I come across explains the theory of authenication, but not how i do it!

My senior developer warned me agaisnt web services saying there isnt any good doc's and how to's on using it. I hope he is not right!! He's gonna make me use corba is a fail to get this authenitcation working today!!
HELP
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The first link posted by BL was right on the mark. Amongst other things, it says that you can use HTTP Authentication. That involves your web.xml and conf/tomcat-users.xml on the server side (assuming you're using Tomcat, but other servlet containers work similarly), as well as setting properties in your javax.xml.rpc.Stub on the client, which looks something like:

Stub stub = (Stub) ...; // wherever you get your Stub from
stub._setProperty(Stub.USERNAME_PROPERTY, "username");
stub._setProperty(Stub.PASSWORD_PROPERTY, "password");

No rocket science involved. This is not very strong security (password is transmitted unencrypted in the HTTP headers), but it's a start. Later, you can run your service over SSL for some additional security, or migrate to using the WS-Security standard.
 
Dean Fredericks
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cool man.

Thats exactly the sort of answer I was looking for.

Thanks for your help - much appriciated!
 
Dean Fredericks
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Now that I want to use the method you have described. I know how to set up user roles and stuff in web.xml.

But I have a database with all the username and password in it, How do I condifure tomcat to look in my database for the list of usernames and passwords.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In your server.xml, instead of a MemoryRealm, configure a JDBCRealm.
 
Dean Fredericks
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Awesome, my DataSource releam is all set up.

BUT!!!

Now im using the servlet/tomcat style secuirty. How can I access that from inside my business logic java bean web serice?

Since Im not in a servlet or JSP, how do I do something like a:
request.isUserInRole("Project Manager") ! Since I dont have a request object to work with ?? Is there some way I can get a request object ?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's a FAQ. Check the page at the bottom of this post for an answer.
 
Balaji Loganathan
author and deputy
Bartender
Posts: 3150
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ulf Dittmer:
That's a FAQ. Check the page at the bottom of this post for an answer.

Nice one!! Ulf.
 
Dean Fredericks
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your help. You really hepled me alot much appriciated!!

Everything u suggested worked 100%!

Thanks Again!
Cheers
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic