aspose file tools*
The moose likes Web Services and the fly likes How do you implement Web Services security? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "How do you implement Web Services security?" Watch "How do you implement Web Services security?" New topic
Author

How do you implement Web Services security?

Dean Fredericks
Ranch Hand

Joined: Dec 04, 2004
Posts: 60
Ive got a web service up and running.

Now i just relised that anybody who see's my WSDL can call the methods on my server.

How do I stop this, how do i authenticate users??

Whats the easiest way? Could somebody show me a code example of the client side and server side code needed. My server is Apache Tomcat with axis, and my client is a J2SE swing app wich calls methods on the stubs i generated from the WSDL.

I would really appriciate a dead simple example. I do not want to have to pass a user name and password as paramaters with each method call!!


PLEASE WATCH THIS VIDEO: <a href="http://www.glumbert.com/media/dolphin" target="_blank" rel="nofollow">http://www.glumbert.com/media/dolphin</a><br /> <br /><-- that video is no joke. Spread the word... this cant go on!!!<br /> <br />SCJP 1.4, SCBCD 1.3, SCWCD 1.4, SCMAD 1.0
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
You can have a look at this two links. its worth reading but it wont give you direct solution.
http://ws.apache.org/axis/java/security.html#AuthenticatingTheCaller
http://cvs.apache.org/viewcvs.cgi/ws-axis/java/samples/security/
Dean Fredericks
Ranch Hand

Joined: Dec 04, 2004
Posts: 60
That didnt really help me. Im hoping to hear something like add something to my web.xml on tomcat, and then do something on the client code...

Every answer I come across explains the theory of authenication, but not how i do it!

My senior developer warned me agaisnt web services saying there isnt any good doc's and how to's on using it. I hope he is not right!! He's gonna make me use corba is a fail to get this authenitcation working today!!
HELP
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41885
    
  63
The first link posted by BL was right on the mark. Amongst other things, it says that you can use HTTP Authentication. That involves your web.xml and conf/tomcat-users.xml on the server side (assuming you're using Tomcat, but other servlet containers work similarly), as well as setting properties in your javax.xml.rpc.Stub on the client, which looks something like:

Stub stub = (Stub) ...; // wherever you get your Stub from
stub._setProperty(Stub.USERNAME_PROPERTY, "username");
stub._setProperty(Stub.PASSWORD_PROPERTY, "password");

No rocket science involved. This is not very strong security (password is transmitted unencrypted in the HTTP headers), but it's a start. Later, you can run your service over SSL for some additional security, or migrate to using the WS-Security standard.


Ping & DNS - my free Android networking tools app
Dean Fredericks
Ranch Hand

Joined: Dec 04, 2004
Posts: 60
Cool man.

Thats exactly the sort of answer I was looking for.

Thanks for your help - much appriciated!
Dean Fredericks
Ranch Hand

Joined: Dec 04, 2004
Posts: 60
Now that I want to use the method you have described. I know how to set up user roles and stuff in web.xml.

But I have a database with all the username and password in it, How do I condifure tomcat to look in my database for the list of usernames and passwords.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41885
    
  63
In your server.xml, instead of a MemoryRealm, configure a JDBCRealm.
Dean Fredericks
Ranch Hand

Joined: Dec 04, 2004
Posts: 60
Awesome, my DataSource releam is all set up.

BUT!!!

Now im using the servlet/tomcat style secuirty. How can I access that from inside my business logic java bean web serice?

Since Im not in a servlet or JSP, how do I do something like a:
request.isUserInRole("Project Manager") ! Since I dont have a request object to work with ?? Is there some way I can get a request object ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41885
    
  63
That's a FAQ. Check the page at the bottom of this post for an answer.
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
Originally posted by Ulf Dittmer:
That's a FAQ. Check the page at the bottom of this post for an answer.

Nice one!! Ulf.
Dean Fredericks
Ranch Hand

Joined: Dec 04, 2004
Posts: 60
Thanks for your help. You really hepled me alot much appriciated!!

Everything u suggested worked 100%!

Thanks Again!
Cheers
 
 
subject: How do you implement Web Services security?