aspose file tools*
The moose likes Web Services and the fly likes JAAS in WebServices Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "JAAS in WebServices" Watch "JAAS in WebServices" New topic
Author

JAAS in WebServices

Michal Horowic
Greenhorn

Joined: Dec 26, 2011
Posts: 9
Hi everyone,

I have just logged into this forum, because I found out that there are a lot of helpful information. I scrutinised it and unfortunately I did not find any useful information connected with my case. I would like to ask you is it possible to use secure webservices by JAAS. My simple webservices are invoked from android application using soap and wsdl. I used JAAS for securing my web application so I think I understand how it works and I also read a few articles about using annotations to secure EJB. My major problem is how to authenticate and authorize user by webservice. Here is an example:



It works without @SecurityDomain annotation. "EGpw" name is my login-config which I use in web application and it works too. My questions is how to authenticate and authorize user by other @WebMethod to let him invoke getHistory method. Currently, with @SecurityDomain annotation invoking any of my methods gives me EJBAccessException: Invalid User

I really appreciate any help, sorry for my english, hope you understand what I meant
Michal
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
You do not need to implement anything to use basic authentication in an EJB or in a web service.
Since you use an EJB to implement the web service endpoint, you can use ordinary EJB security. EJB security can be configured using annotations and/or XML deployment descriptor. The container in which the EJB is deployed also needs to be configured. For an example using GlassFish, see section 8.3 of my book: http://www.slideshare.net/krizsan/scdjws-5-study-notes-3085287
In the client, when to invoke the web service, an extra step is necessary to set the login and password (extract from the book):

GlassFish, per default, uses JAAS. If you want, you can develop your own login and/or realm modules.
Best wishes!


My free books and tutorials: http://www.slideshare.net/krizsan
Michal Horowic
Greenhorn

Joined: Dec 26, 2011
Posts: 9
Hi Ivan!
I appreciate your help, but let me clarify what I would like to achive.

First of all I added another annotation. @WebContext(authMethod = "BASIC", secureWSDLAccess = false) works great because it gives me "This request requires HTTP authentication ()." as a response when I am calling getHistory method. I forgot to mention that I use SOAPUI to test my webservices, and JBoss AS instead glassfish. When I tried to call getHistory method with given login and password in additional Authentication and Security-related settings in SOAPUI it works, but I have to give login and password in every call and every method. I wrote extra code to access all methods which is similar to yours:


and this works as well. But I can't paste this method to my android application, because it demands libraries and classes which are not avaliable in android such as Service, BindingProvider or even my EGpwInterface. What is more I would like to call first one method which will be login method (and it should be @WebMethod because I have to call it from android app) and after that all other methods will be permitted for this user. I found out that SESSION_MAINTAIN_PROPERTY doesn't work or I just do not know how should it work.

Greetings!
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
I suspect that JAAS is not the solution to your problem, but perhaps rather WS-Security.
In order to be able to avoid providing authentication information with each and every call to the web service, you need a security token.
It is possible to create your own solution, using a login method that returns a token which is later enclosed with every invocation to the web service.
Personally, I would avoid this, especially in matters related to security, and spend some time to investigate whether WS-Security is a viable solution with an Android client.
From what I see on the web, it does seem possible, albeit not trivial.
I also saw some examples of basic authentication from Android clients using the Apache HTTPClient to be able to enclose login and password.
There is also the kSOAP2 library, but I do not know if it has better support from basic authentication.
Best wishes!
Michal Horowic
Greenhorn

Joined: Dec 26, 2011
Posts: 9
Hi Ivan!

Thank you so much for the attention you paid to my problem. I was considering my own solution with stateful bean maps which would contain user session and stored in singleton, but I share your opinion that it could be not as much safe as services like JAAS or WS-Security. I will look closer at WS-Security. If you have any useful links I would be very grateful. I have never heard about Apache HTTPClient but it could be a good solution if it is possible to do it by using this extra code from my preview post or just create session by additional url with login in servlet(?). Currently, I am using kSOAP2 library to call my webservices from Android but I have no idea if it it has support for basic authentication, I guess it has not.
Thank you for your advice!

Greetings,
Michal
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
Two tutorials on WS-Security:
http://www.jroller.com/gmazza/entry/metro_usernametoken_profile
http://www.ibm.com/developerworks/java/library/j-jws10/index.html
Do share any experiences - at least I would be very interested in hearing about them!
Good luck!

P.S.
Having looked around, it seems like it may not be entirely trivial to use WS-Security from Android.
In fact, the only environment in which it seems trivial in is NetBeans - I was able to modify the SecureCalculator+Client example application and had it going in 10 minutes.
I am beginning to think that adding username and password to each request maybe isn't that bad after all, if that level of security is sufficient to you.
Michal Horowic
Greenhorn

Joined: Dec 26, 2011
Posts: 9
Thank you so much for your help! I found out that I can do this using ksoap2. This code in android app works great for me:


and than added to call:


Greetings!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JAAS in WebServices
 
Similar Threads
EJB security Question
EJB Declarative Method Level Security
How to servlet invoked secured EJB in JBOSS
How to servlet invoked secured EJB in JBOSS
Problem securing a web service