Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Only two authentication forms are available for Java EE web service?

 
Himai Minh
Ranch Hand
Posts: 1316
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In MZ's notes, only two forms of authentications are available for JEE web services:
Option:
1. Basic authentication
2. digest authentication
3. form based authentication
4. HTTPS based authentication
5. Kerberos authentication

The correct options are 1.basic and 4 HTTPS authentications according to MZ.

Tthis JEE 6 tutorial at http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html,
it says "Java EE platform supports basic authentication, form based authentication, digest authentication, client authentication and mutual authentication"

So, should I choose option 1, 2, 3, 4 instead of only 1 and 4?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to differentiate between web apps and WS. For example, form-based auth only apply to web apps, there being no forms when WS are used.

Basic auth should not be used for WS, though - that's what WS-Security is for, at least for SOAP-based WS. I'm not sure if JEE requires WS-Security to be supported, though - but all major SOAP stacks do so.
 
Himai Minh
Ranch Hand
Posts: 1316
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your quick response:
According to this article: http://download.oracle.com/otn-pub/jcp/websvcs-1.3-mrel2-evaluate-oth-JSpec/websvcs-1_3-final-spec.pdf?AuthParam=1396117574_b0bad0dc7a520028414b3352ed29327f
It says web services supports two forms of authentication Basic authentication and symmetric https (that is HTTPS authentication).

So, that means web services only support basic and symmetric https, but not form based or digest authentication while JEE platform supports form based / digest /kerberos authentication ?
 
Himai Minh
Ranch Hand
Posts: 1316
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One more point, I agree that basic authentication is not commonly used for web services.
But in web.xml for deploying a web service, we can define this :


In this case, we can still use client certification for JEE web service. But why only basic/symmetric https are only supported according to MZ's notes?

I believe nowadays, client authentication is also supported in web services.
 
Himai Minh
Ranch Hand
Posts: 1316
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To answer my own question, https authentication includes server authentication and client authentication.
Reference: http://technet.microsoft.com/en-us/library/cc736680%28v=ws.10%29.aspx
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not quite. HTTPS auth can be server-only or client/server. It is actually unusual for HTTPS to be set up to require client auth.

You need to differentiate between WS as such, and WS as implemented on top of a standard Java web app. In the latter case, obviously you can use all the authentication methods Java web apps support. But that WS are implemented on top of servlets is not a given. For example, an EJB exposed as a WS would not work that way.

I think what that JEE WS document refers to may be what's required to be supported - it doesn't mean that you should necessarily use those methods, or that no other methods are available.
 
Himai Minh
Ranch Hand
Posts: 1316
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let me fix my previous post.

CLIENT-CERT is actually refers to mutual authentication, not client authentication:

"In the CLIENT-CERT method, clients authenticate the server by asking the server for its digital certificate and the server also asks the client to provide its digital certificate to authenticate its identity. In this mode nothing is required to be done except that the client and the server must have a certificate issued by a certificate authority trusted by the other side."
(quote from http://refcardz.dzone.com/refcardz/getting-started-java-ee)

And also one more quote:
"Java EE containers provide some standard authentication mechanisms for using in the Web modules. These methods with their specification names are as follow:
HTTP Basic Authentication: BASIC
Digest Authentication: DIGEST
HTTPS Client Authentication: CLIENT-CERT
Form-Based Authentication: FORM"

I guess JEE containers means where the web applications including servlet, JSP, EJB are deployed. And web services can be deployed as servlets or EJBs.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic