• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JAAS in WebServices

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi everyone,

I have just logged into this forum, because I found out that there are a lot of helpful information. I scrutinised it and unfortunately I did not find any useful information connected with my case. I would like to ask you is it possible to use secure webservices by JAAS. My simple webservices are invoked from android application using soap and wsdl. I used JAAS for securing my web application so I think I understand how it works and I also read a few articles about using annotations to secure EJB. My major problem is how to authenticate and authorize user by webservice. Here is an example:



It works without @SecurityDomain annotation. "EGpw" name is my login-config which I use in web application and it works too. My questions is how to authenticate and authorize user by other @WebMethod to let him invoke getHistory method. Currently, with @SecurityDomain annotation invoking any of my methods gives me EJBAccessException: Invalid User

I really appreciate any help, sorry for my english, hope you understand what I meant
Michal
 
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!
You do not need to implement anything to use basic authentication in an EJB or in a web service.
Since you use an EJB to implement the web service endpoint, you can use ordinary EJB security. EJB security can be configured using annotations and/or XML deployment descriptor. The container in which the EJB is deployed also needs to be configured. For an example using GlassFish, see section 8.3 of my book: http://www.slideshare.net/krizsan/scdjws-5-study-notes-3085287
In the client, when to invoke the web service, an extra step is necessary to set the login and password (extract from the book):

GlassFish, per default, uses JAAS. If you want, you can develop your own login and/or realm modules.
Best wishes!
 
Michal Horowic
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ivan!
I appreciate your help, but let me clarify what I would like to achive.

First of all I added another annotation. @WebContext(authMethod = "BASIC", secureWSDLAccess = false) works great because it gives me "This request requires HTTP authentication ()." as a response when I am calling getHistory method. I forgot to mention that I use SOAPUI to test my webservices, and JBoss AS instead glassfish. When I tried to call getHistory method with given login and password in additional Authentication and Security-related settings in SOAPUI it works, but I have to give login and password in every call and every method. I wrote extra code to access all methods which is similar to yours:


and this works as well. But I can't paste this method to my android application, because it demands libraries and classes which are not avaliable in android such as Service, BindingProvider or even my EGpwInterface. What is more I would like to call first one method which will be login method (and it should be @WebMethod because I have to call it from android app) and after that all other methods will be permitted for this user. I found out that SESSION_MAINTAIN_PROPERTY doesn't work or I just do not know how should it work.

Greetings!
 
Ivan Krizsan
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!
I suspect that JAAS is not the solution to your problem, but perhaps rather WS-Security.
In order to be able to avoid providing authentication information with each and every call to the web service, you need a security token.
It is possible to create your own solution, using a login method that returns a token which is later enclosed with every invocation to the web service.
Personally, I would avoid this, especially in matters related to security, and spend some time to investigate whether WS-Security is a viable solution with an Android client.
From what I see on the web, it does seem possible, albeit not trivial.
I also saw some examples of basic authentication from Android clients using the Apache HTTPClient to be able to enclose login and password.
There is also the kSOAP2 library, but I do not know if it has better support from basic authentication.
Best wishes!
 
Michal Horowic
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ivan!

Thank you so much for the attention you paid to my problem. I was considering my own solution with stateful bean maps which would contain user session and stored in singleton, but I share your opinion that it could be not as much safe as services like JAAS or WS-Security. I will look closer at WS-Security. If you have any useful links I would be very grateful. I have never heard about Apache HTTPClient but it could be a good solution if it is possible to do it by using this extra code from my preview post or just create session by additional url with login in servlet(?). Currently, I am using kSOAP2 library to call my webservices from Android but I have no idea if it it has support for basic authentication, I guess it has not.
Thank you for your advice!

Greetings,
Michal
 
Ivan Krizsan
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!
Two tutorials on WS-Security:
http://www.jroller.com/gmazza/entry/metro_usernametoken_profile
http://www.ibm.com/developerworks/java/library/j-jws10/index.html
Do share any experiences - at least I would be very interested in hearing about them!
Good luck!

P.S.
Having looked around, it seems like it may not be entirely trivial to use WS-Security from Android.
In fact, the only environment in which it seems trivial in is NetBeans - I was able to modify the SecureCalculator+Client example application and had it going in 10 minutes.
I am beginning to think that adding username and password to each request maybe isn't that bad after all, if that level of security is sufficient to you.
 
Michal Horowic
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you so much for your help! I found out that I can do this using ksoap2. This code in android app works great for me:


and than added to call:


Greetings!
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic