wood burning stoves 2.0*
The moose likes Web Services and the fly likes Axis + WSS4J, one time authentication? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Axis + WSS4J, one time authentication?" Watch "Axis + WSS4J, one time authentication?" New topic
Author

Axis + WSS4J, one time authentication?

Alan Richardson
Greenhorn

Joined: Mar 05, 2007
Posts: 17
Hi folks, I'm somewhat new to web services and particularly WSS4J and I'm having a problem with an implementation. It's probably best if I first explain what I'm attempting to do:

A user will supply a username and password, and this will be authenticated on the web service server. However once authenticated I want the web service to supply what is essentially a 'session' token, which the user can use to access the services. The 'session' token will either be sent as a function parameter in each request, or maybe as the username in the SOAP header (without an accompanying password).

My problem is that WSS4J Callback class wants to authenticate each individual request with a username/password, whereas I only want this to occur once at the beginning of a session. At least as far as I can tell.

Is there any way I can implement the above scenario using WSS4J?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41133
    
  45
Welcome to JavaRanch.

It's one of the best practices of WS not to implement sessions, but instead to send all required information, including authentication, with each request. But since the client is most likely an automated process (and not a user typing in authentication information again and again), this shouldn't be a problem.

If sessions are still the way to go, then you need to use a callback that is configured not to require WS-Sec authentication (i.e., a different callback than is used for the login call).


Ping & DNS - my free Android networking tools app
Daniel Amadei
Ranch Hand

Joined: Mar 29, 2005
Posts: 94
Hi Alan,

You can use Apache Axis' sessions. I believe the following flow will work:

In first logon, there will be no session token, you can check it in the authentication callback and try to authenticate the user. In subsequent calls, the auth. callback will notice the occurence of the session token and you can skip the authentication, guaranteeing that the user is authenticated.

Hope this helps,
Daniel
Alan Richardson
Greenhorn

Joined: Mar 05, 2007
Posts: 17
Thanks for the welcomes.

Ulf, how might I go about piping off requests to different handlers? Would I have to implement a separate request/response handler class and define them each in the deployment descriptor?

At the moment I am invoking web services using the following code, but I'm not sure I would point it to another handler.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41133
    
  45
I'd definitely advise to work with handlers and deployment descriptors, instead of hardcoding everything. It's very handy, especially during development, to be able to add/remove a handler just by (un)commenting a section in the descriptor. The descriptor for passsword authentication would lokk something like this for Axis 1:

The server-side handler could just skip checking authentication if a session exists.
[ March 06, 2007: Message edited by: Ulf Dittmer ]
Alan Richardson
Greenhorn

Joined: Mar 05, 2007
Posts: 17
Looking at the deployment descriptor, would that mean I need to know which users will access the service as you have defined a user, or have I misunderstood how that works? I'm also still not sure how to define a non- WS-sec handler. I'm still wearing my rookie badge as you may tell.

On reflection I think it would be best to authenticate each message because, as you say it is a better security practice, although I also don't want to leave my understanding of this issue unresolved.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41133
    
  45
That's a good point. That example assumes that a single user account is used for accessing the WS. But having to support multiple accounts would be a frequent thing to want to do, and the WSPasswordCallback class only deals with passwords, not user names.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Axis + WSS4J, one time authentication?
 
Similar Threads
WS-Security Token Passing implementation
SAAJ and Ws security
web services / logonhanlder service
Security Pattern
Wss4J Security question on Username Token