• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Authenticate and authorise access to webservices

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello all,

We have 6 webservices serving different applications within the organization.
Now we want to allow external applications over the internet to be able to access these webservices, to
do this we want to authenticate and authorize both external and internal applications against a oracle
database/LDAP active directory.
Please advise me how to do this, I thought of couple of things here..
1. Should I have a JSP or a Servlet to do the authentication and authorization before they can access the
subscribed webservice.
However I feel that this may lead to code changes to be made in the client applications that consume these
webservices.. ( calling the new servlet/JSP instead of invoking the webservices) or
2. I will let them invoke the webservices the way they are doing right now, in each of these webservices
before the request is actually processed, can I invoke the new servlet/JSP/a simple java class where I
intend to code the authentication and authorization logic.

Please help.

Thanks
Chandra
 
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
anyone else ?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

1. Should I have a JSP or a Servlet to do the authentication and authorization before they can access the
subscribed webservice.


No.

2. I will let them invoke the webservices the way they are doing right now, in each of these webservices
before the request is actually processed, can I invoke the new servlet/JSP/a simple java class where I
intend to code the authentication and authorization logic.


Not good either.

WS authentication is done as described be the WS-Security; that is supported by all major WS stacks. This will provide your WS code with the already authenticated username, which can be used to look up roles and rights as needed (in a DB or LDAP repository).
 
Kathiresan Chinna
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ulf,

I have Web service end point which needs to response for iPhone app or any WS client.
I have planned to validate the username password from the incoming security header with the database table which is in MySQL.
So the WS client must send the username, password in the security header.
Actaully I dont want to create users in Application Server or Config file.
Can you advice ?

Thanks in advance
Kathiresan
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I have Web service end point which needs to response for iPhone app or any WS client.


If you need to support mobile devices as clients, then SOAP (and WS-Security) may be a bit resource heavy; I'd look into using RESTful services. Of course, that doesn't support WS-Security, so you're back to using Basic (or Digest) Authentication and SSL for encryption.

So the WS client must send the username, password in the security header.

Yep, that's what WS-Security does in a SOAP header.

Actaully I dont want to create users in Application Server or Config file.


Well, where *are* you planning to store the user data? But regardless, on the server side there'll need to be a callback interface implemented that gets called with the credentials being sent be the client; it's then up to that callback to decide whether those credentials are valid or not. In that class you can do whatever you need to do to validate passwords: hardcode them, look them up in a DB/file/LDAP, etc. At least that's how WSS4J works, which I believe is used in all major Java SOAP stacks to provide WS-Security.
 
Kathiresan Chinna
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Ulf.

I have more than 2000 users and they have separate username and password.
Should I have this data on the JEE server to authenticate ?

Thanks
Kathiresan
 
Ranch Hand
Posts: 198
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Kathiresan Chinna wrote:I have more than 2000 users and they have separate username and password.
Should I have this data on the JEE server to authenticate ?


You can keep data in a DB, flat file, LDAP etc. only thing is that data should be accessible to the application for validation/authentication. Also instead of asking clients to send username/password in each SOAP request, create a sperate authentication service to authenticate once and issue a token to clients. Clients can send this token in subsequent requests.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic