File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes JAAS in WebServices Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "JAAS in WebServices" Watch "JAAS in WebServices" New topic
Author

JAAS in WebServices

Michal Horowic
Greenhorn

Joined: Dec 26, 2011
Posts: 9
Hi everyone,

I have just logged into this forum, because I found out that there are a lot of helpful information. I scrutinised it and unfortunately I did not find any useful information connected with my case. I would like to ask you is it possible to use secure webservices by JAAS. My simple webservices are invoked from android application using soap and wsdl. I used JAAS for securing my web application so I think I understand how it works and I also read a few articles about using annotations to secure EJB. My major problem is how to authenticate and authorize user by webservice. Here is an example:



It works without @SecurityDomain annotation. "EGpw" name is my login-config which I use in web application and it works too. My questions is how to authenticate and authorize user by other @WebMethod to let him invoke getHistory method. Currently, with @SecurityDomain annotation invoking any of my methods gives me EJBAccessException: Invalid User

I really appreciate any help, sorry for my english, hope you understand what I meant
Michal
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
You do not need to implement anything to use basic authentication in an EJB or in a web service.
Since you use an EJB to implement the web service endpoint, you can use ordinary EJB security. EJB security can be configured using annotations and/or XML deployment descriptor. The container in which the EJB is deployed also needs to be configured. For an example using GlassFish, see section 8.3 of my book: http://www.slideshare.net/krizsan/scdjws-5-study-notes-3085287
In the client, when to invoke the web service, an extra step is necessary to set the login and password (extract from the book):

GlassFish, per default, uses JAAS. If you want, you can develop your own login and/or realm modules.
Best wishes!


My free books and tutorials: http://www.slideshare.net/krizsan
Michal Horowic
Greenhorn

Joined: Dec 26, 2011
Posts: 9
Hi Ivan!
I appreciate your help, but let me clarify what I would like to achive.

First of all I added another annotation. @WebContext(authMethod = "BASIC", secureWSDLAccess = false) works great because it gives me "This request requires HTTP authentication ()." as a response when I am calling getHistory method. I forgot to mention that I use SOAPUI to test my webservices, and JBoss AS instead glassfish. When I tried to call getHistory method with given login and password in additional Authentication and Security-related settings in SOAPUI it works, but I have to give login and password in every call and every method. I wrote extra code to access all methods which is similar to yours:


and this works as well. But I can't paste this method to my android application, because it demands libraries and classes which are not avaliable in android such as Service, BindingProvider or even my EGpwInterface. What is more I would like to call first one method which will be login method (and it should be @WebMethod because I have to call it from android app) and after that all other methods will be permitted for this user. I found out that SESSION_MAINTAIN_PROPERTY doesn't work or I just do not know how should it work.

Greetings!
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
I suspect that JAAS is not the solution to your problem, but perhaps rather WS-Security.
In order to be able to avoid providing authentication information with each and every call to the web service, you need a security token.
It is possible to create your own solution, using a login method that returns a token which is later enclosed with every invocation to the web service.
Personally, I would avoid this, especially in matters related to security, and spend some time to investigate whether WS-Security is a viable solution with an Android client.
From what I see on the web, it does seem possible, albeit not trivial.
I also saw some examples of basic authentication from Android clients using the Apache HTTPClient to be able to enclose login and password.
There is also the kSOAP2 library, but I do not know if it has better support from basic authentication.
Best wishes!
Michal Horowic
Greenhorn

Joined: Dec 26, 2011
Posts: 9
Hi Ivan!

Thank you so much for the attention you paid to my problem. I was considering my own solution with stateful bean maps which would contain user session and stored in singleton, but I share your opinion that it could be not as much safe as services like JAAS or WS-Security. I will look closer at WS-Security. If you have any useful links I would be very grateful. I have never heard about Apache HTTPClient but it could be a good solution if it is possible to do it by using this extra code from my preview post or just create session by additional url with login in servlet(?). Currently, I am using kSOAP2 library to call my webservices from Android but I have no idea if it it has support for basic authentication, I guess it has not.
Thank you for your advice!

Greetings,
Michal
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
Two tutorials on WS-Security:
http://www.jroller.com/gmazza/entry/metro_usernametoken_profile
http://www.ibm.com/developerworks/java/library/j-jws10/index.html
Do share any experiences - at least I would be very interested in hearing about them!
Good luck!

P.S.
Having looked around, it seems like it may not be entirely trivial to use WS-Security from Android.
In fact, the only environment in which it seems trivial in is NetBeans - I was able to modify the SecureCalculator+Client example application and had it going in 10 minutes.
I am beginning to think that adding username and password to each request maybe isn't that bad after all, if that level of security is sufficient to you.
Michal Horowic
Greenhorn

Joined: Dec 26, 2011
Posts: 9
Thank you so much for your help! I found out that I can do this using ksoap2. This code in android app works great for me:


and than added to call:


Greetings!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JAAS in WebServices