I have just logged into this forum, because I found out that there are a lot of helpful information. I scrutinised it and unfortunately I did not find any useful information connected with my case. I would like to ask you is it possible to use secure webservices by JAAS. My simple webservices are invoked from android application using soap and wsdl. I used JAAS for securing my web application so I think I understand how it works and I also read a few articles about using annotations to secure EJB. My major problem is how to authenticate and authorize user by webservice. Here is an example:
It works without @SecurityDomain annotation. "EGpw" name is my login-config which I use in web application and it works too. My questions is how to authenticate and authorize user by other @WebMethod to let him invoke getHistory method. Currently, with @SecurityDomain annotation invoking any of my methods gives me EJBAccessException: Invalid User
I really appreciate any help, sorry for my english, hope you understand what I meant
You do not need to implement anything to use basic authentication in an EJB or in a web service.
Since you use an EJB to implement the web service endpoint, you can use ordinary EJB security. EJB security can be configured using annotations and/or XML deployment descriptor. The container in which the EJB is deployed also needs to be configured. For an example using GlassFish, see section 8.3 of my book: http://www.slideshare.net/krizsan/scdjws-5-study-notes-3085287 In the client, when to invoke the web service, an extra step is necessary to set the login and password (extract from the book):
GlassFish, per default, uses JAAS. If you want, you can develop your own login and/or realm modules.
I appreciate your help, but let me clarify what I would like to achive.
First of all I added another annotation. @WebContext(authMethod = "BASIC", secureWSDLAccess = false) works great because it gives me "This request requires HTTP authentication ()." as a response when I am calling getHistory method. I forgot to mention that I use SOAPUI to test my webservices, and JBoss AS instead glassfish. When I tried to call getHistory method with given login and password in additional Authentication and Security-related settings in SOAPUI it works, but I have to give login and password in every call and every method. I wrote extra code to access all methods which is similar to yours:
and this works as well. But I can't paste this method to my android application, because it demands libraries and classes which are not avaliable in android such as Service, BindingProvider or even my EGpwInterface. What is more I would like to call first one method which will be login method (and it should be @WebMethod because I have to call it from android app) and after that all other methods will be permitted for this user. I found out that SESSION_MAINTAIN_PROPERTY doesn't work or I just do not know how should it work.
Joined: Oct 04, 2006
I suspect that JAAS is not the solution to your problem, but perhaps rather WS-Security.
In order to be able to avoid providing authentication information with each and every call to the web service, you need a security token.
It is possible to create your own solution, using a login method that returns a token which is later enclosed with every invocation to the web service.
Personally, I would avoid this, especially in matters related to security, and spend some time to investigate whether WS-Security is a viable solution with an Android client.
From what I see on the web, it does seem possible, albeit not trivial.
I also saw some examples of basic authentication from Android clients using the Apache HTTPClient to be able to enclose login and password.
There is also the kSOAP2 library, but I do not know if it has better support from basic authentication.
Joined: Dec 26, 2011
Thank you so much for the attention you paid to my problem. I was considering my own solution with stateful bean maps which would contain user session and stored in singleton, but I share your opinion that it could be not as much safe as services like JAAS or WS-Security. I will look closer at WS-Security. If you have any useful links I would be very grateful. I have never heard about Apache HTTPClient but it could be a good solution if it is possible to do it by using this extra code from my preview post or just create session by additional url with login in servlet(?). Currently, I am using kSOAP2 library to call my webservices from Android but I have no idea if it it has support for basic authentication, I guess it has not.
Thank you for your advice!
Having looked around, it seems like it may not be entirely trivial to use WS-Security from Android.
In fact, the only environment in which it seems trivial in is NetBeans - I was able to modify the SecureCalculator+Client example application and had it going in 10 minutes.
I am beginning to think that adding username and password to each request maybe isn't that bad after all, if that level of security is sufficient to you.
Joined: Dec 26, 2011
Thank you so much for your help! I found out that I can do this using ksoap2. This code in android app works great for me: