This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes EJB and other Java EE Technologies and the fly likes EJBContext - caller principal : propagate credentials to webservice Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "EJBContext - caller principal : propagate credentials to webservice" Watch "EJBContext - caller principal : propagate credentials to webservice" New topic
Author

EJBContext - caller principal : propagate credentials to webservice

Joris Geuens
Greenhorn

Joined: Oct 08, 2003
Posts: 4
Hi,


My Java swing client uses the InitialContext to connect to my EJB server (Weblogic). The user provides his user name and password.
The user is authenticated on my EJB server with LDAP, so he can invoke remotely methods on the available stateless session beans.

In my EJB method (of a stateless session bean) I call an external web service from a DMS (document management system).
For calling this webservice, the current user needs to be authenticated on the DMS system (separate security system).

In my EJB method, the current user is available by calling "ejbContext.getCallerPrincipal().getName()".
Is it also possible to retrieve the credentials from the current user so that it can be propagated to the web service call?

Or how should I pass in my EJB the current user name and password to the external system?


Thanks in advance!
amit punekar
Ranch Hand

Joined: May 14, 2004
Posts: 513
Hi there,
Not sure how you are authenticating the user at the other end i.e. Webservice.
I remember we had once secured the webservice using Basic Authentication for the webservice URL using simple Servlet's login-config element.
Then you pass on the username and password as required by the Basic Auth procedure.

Apart from this if you need to pass the username/pwd from SLSB wherein you dont want to use Basic Auth, you can try Signing your SOAP XML message and specifically signing the username/pwd bit. You will need to invoke the webservice on SSL for more safe transmission of the user details.

To overcome the risk to send username/pwd in the SOAP/XML, I think using a token would also make sense which will avoid the need to send the pwd in the message.

I could think of these couple of options. Hope you find them useful.

Regards,
amit
Joris Geuens
Greenhorn

Joined: Oct 08, 2003
Posts: 4
Hi Amit,

Thanks for your reply.

For calling the webservice, I first lookup a ticket with and then pass the WS security information in the header.
My java swing client is only aware of my EJB server and can lookup all my stateless session beans. The client can't call webservices!

So my stateless session bean is responsible for looking up a ticket to be able to call a webservice of an external system.
But looking up a ticket, requires that I pass the userName and password of the current user calling this EJB method to the external system.

Getting the userName in a Bean is not the problem ("ejbContext.getCallerPrincipal().getName()"), but sending the password from client to server as just an argument is not the best way I think!

Other suggestions?

Greetz, Joris
amit punekar
Ranch Hand

Joined: May 14, 2004
Posts: 513
Hi,
what abt using a representative token kind of value for every request to webservice.
Or else create a Stateful webservices. By Stateful, I meant first invoke a login webservice which will return you sessionid or something which will need to be passed in subsequent request. Of course here you will need to authenticate yourself for the first time though..(again username/pwd). I am not sure though how one will implement Stateful webservices as I had been once the consumer of such webservice and not the provider.

Regards,
Amit
Joris Geuens
Greenhorn

Joined: Oct 08, 2003
Posts: 4
Hi Amit,

Do you mean using for every request to the external system "one generic user/password" to authenticate?

In our case that's not a good solution because it's possible that the user has no rights on the external system, so we need to authenticate the user who's calling our stateless session bean on the external system.
If the user is allowed on the external system, the webservice call will be successful, otherwise he will get a webservice exception "Permission denied on the external system".

Greetz, Joris
amit punekar
Ranch Hand

Joined: May 14, 2004
Posts: 513
Hello there,
I am sorry Joris but I can only think of these options based on my earlier experiences with Webservices.


regards,
Amit
 
GeeCON Prague 2014
 
subject: EJBContext - caller principal : propagate credentials to webservice