aspose file tools*
The moose likes Web Services and the fly likes Authenticate and authorise access to webservices Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Authenticate and authorise access to webservices" Watch "Authenticate and authorise access to webservices" New topic
Author

Authenticate and authorise access to webservices

chandu
Greenhorn

Joined: Aug 23, 2007
Posts: 1
Hello all,

We have 6 webservices serving different applications within the organization.
Now we want to allow external applications over the internet to be able to access these webservices, to
do this we want to authenticate and authorize both external and internal applications against a oracle
database/LDAP active directory.
Please advise me how to do this, I thought of couple of things here..
1. Should I have a JSP or a Servlet to do the authentication and authorization before they can access the
subscribed webservice.
However I feel that this may lead to code changes to be made in the client applications that consume these
webservices.. ( calling the new servlet/JSP instead of invoking the webservices) or
2. I will let them invoke the webservices the way they are doing right now, in each of these webservices
before the request is actually processed, can I invoke the new servlet/JSP/a simple java class where I
intend to code the authentication and authorization logic.

Please help.

Thanks
Chandra
Kathiresan Chinna
Ranch Hand

Joined: Aug 17, 2008
Posts: 115
anyone else ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41523
    
  53
1. Should I have a JSP or a Servlet to do the authentication and authorization before they can access the
subscribed webservice.

No.

2. I will let them invoke the webservices the way they are doing right now, in each of these webservices
before the request is actually processed, can I invoke the new servlet/JSP/a simple java class where I
intend to code the authentication and authorization logic.

Not good either.

WS authentication is done as described be the WS-Security; that is supported by all major WS stacks. This will provide your WS code with the already authenticated username, which can be used to look up roles and rights as needed (in a DB or LDAP repository).


Ping & DNS - my free Android networking tools app
Kathiresan Chinna
Ranch Hand

Joined: Aug 17, 2008
Posts: 115
Hi Ulf,

I have Web service end point which needs to response for iPhone app or any WS client.
I have planned to validate the username password from the incoming security header with the database table which is in MySQL.
So the WS client must send the username, password in the security header.
Actaully I dont want to create users in Application Server or Config file.
Can you advice ?

Thanks in advance
Kathiresan
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41523
    
  53
I have Web service end point which needs to response for iPhone app or any WS client.

If you need to support mobile devices as clients, then SOAP (and WS-Security) may be a bit resource heavy; I'd look into using RESTful services. Of course, that doesn't support WS-Security, so you're back to using Basic (or Digest) Authentication and SSL for encryption.

So the WS client must send the username, password in the security header.
Yep, that's what WS-Security does in a SOAP header.

Actaully I dont want to create users in Application Server or Config file.

Well, where *are* you planning to store the user data? But regardless, on the server side there'll need to be a callback interface implemented that gets called with the credentials being sent be the client; it's then up to that callback to decide whether those credentials are valid or not. In that class you can do whatever you need to do to validate passwords: hardcode them, look them up in a DB/file/LDAP, etc. At least that's how WSS4J works, which I believe is used in all major Java SOAP stacks to provide WS-Security.
Kathiresan Chinna
Ranch Hand

Joined: Aug 17, 2008
Posts: 115
Thanks Ulf.

I have more than 2000 users and they have separate username and password.
Should I have this data on the JEE server to authenticate ?

Thanks
Kathiresan
Vinod K Singh
Ranch Hand

Joined: Sep 30, 2008
Posts: 198
Kathiresan Chinna wrote:I have more than 2000 users and they have separate username and password.
Should I have this data on the JEE server to authenticate ?

You can keep data in a DB, flat file, LDAP etc. only thing is that data should be accessible to the application for validation/authentication. Also instead of asking clients to send username/password in each SOAP request, create a sperate authentication service to authenticate once and issue a token to clients. Clients can send this token in subsequent requests.


My Blog
 
 
subject: Authenticate and authorise access to webservices