I'm using Tomcat 6.0.29, jdk 1.6. I'm developing web services and i would like to add authentication to those web service. The only thing I want to do is validate credentials when entering a web service method (without having to pass username/password parameter and validate them manually, every time). I'd like to know how to do it, I need to validate users against the database. I read a lot on the web on jaas, but it's unclear for me where to start, which framework to use, etc... can someone help me please??? From what I understood, credentials should be part of the soap envelop header, but again, I cant find tutorials or examples on how to do it within Tomcat.
I also read about roles (using RolesAllowed annotation), but again, I dont find how to link those roles with the database I configured in the config.xml file (in a resource element).
There are a number of ways to do this kind of stuff.
If the web services support an ongoing session, you can supply a "login" web service method that accepts a userid/password (sent via https!) and returns a security token or session token. That token can then be passed as an argument to the various application web service methods, and disposed of via a logout web service method. As is the case for J2EE sessionids, the same token can be used as the anchor for server-side state information, so it can kill 2 birds with one stone, so to speak.
If you're looking for something stateless - more akin to REST - you have several options. One of them might be to keep authentication info in a cookie, although that's dangerous, since you have to ensure the cookie is wiped or destroyed after it's no longer needed.
Security on web services covers several different levels. It's often paired with encryption, and encryption can affect the ability to route things. I've just scratched the surface very lightly here.
Customer surveys are for companies who didn't pay proper attention to begin with.
Is this a SOAP service? If so, which SOAP stack are you using? The common ones (Metro, Axis2, JBossWS etc.) all support the WS-Security standard that defines username/password authentication (amongst other things).
Joined: Oct 18, 2010
Hi, thanks for the response,
Yes it is soap WS and I'm using JAX-WS in Tomcat 6.0.29. I read about WS-Security, but I cant figure out how to plug it in Tomcat. Is there examples somewhere of an integration with Tomcat. I already have configured a RealM in Tomcat and my database resource is also configured, so I'm ready to use the database to validate authentication, but I cant find out how to connect all this stuff.
Thanks a lot in advance,
Joined: Oct 14, 2008
So you're using the JAX-WS RI? Unfortunately, that doesn't have WS-Security integration. Any chance you can switch to the Metro library? That is built around the JAX-WS RI, and does come with WS-Security built in.
Joined: Oct 18, 2010
I can have a look at switching to Metro. What's the difference exactly between Metro and JAX-WS in the implementation?? Right now, with JAX-WS I only add annotations to my web services (@WebService and @WebMethod) and define my endpoints in the sun-jaxws.xml file. It's really straight forward.
If I use Metro, is there somewhere I can find tutorials or example to integrate authentication in Tomcat, cause I already had a look at Metro, but again I didn't find how to connect all the loop in Tomcat. My needs are pretty basic, I want authentication at every web method call against a database (my RealM is already configured in Tomcat and my database resource too).
Sorry for all the questions, I'm really newbie to security on WS!