This week's giveaway is in the EJB and other Java EE Technologies forum. We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line! See this thread for details.
I have written a web service for new user enrollment which will be used by our trusted 3rd party services but i found that anybody who come to know the web service url can enroll the user. Can you please let know what do i need to do to make sure that the request coming is coming from a valid party?
I was busy with different priority in project so coming back to this I have another question -
After going through your links and some other stuff I know of following approaches which can be implemented.
I want to know which one is better
1. Configure username/password for each web service operation invocation.
2. Configure username/password to invoke authenticate() operation first which will generate a token and send it back to client.
Client to use this token to call subsequent web services operation.
or let me know if there is any better approach other than these.
Option 2 is what is typically used. Authentication is typically for a application(and not operation). If you want to control operation level access then i would guess that this would come under scope of authorization. You can decide what authorization mechanism you use to limit users to specific operations only.