File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Servlet consuming secure web service

 
Steve Coombes
Greenhorn
Posts: 3
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello

I have a web application on Glassfish secured with a custom realm, and a jax-ws web service also on Glassfish secured by the same realm. These might be on the same or different servers.

I am using form-based authentication to access the web application. I have configured Single sign-on so that one login works for all web applications on the server.

What I would like, is for a servlet in one of these applications to call the secure web service using the same single sign-on facility, i.e. as the same user. However, it doesn't seem to work with web services. And I know the username but not the password so I can't log in programmatically.


I think I need a single sign-on application but I'm not sure which one to use. OpenSSO looks promising but I don't know how much support it has since being dropped by Sun. I did look at CAS some time ago but I seem to remember that it supported HTTP 'Get' but not 'Post'.

I have a little knowledge of these things but am making decisions on security that I will have to live with for some time. I would be grateful if anyone could offer some advice.

Kind regards

Steve
 
Tim Moores
Bartender
Posts: 2500
10
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can't really help with the main question, but OpenSSO has become OpenAM and is still actively developed. JOSSO is another option.
 
Steve Coombes
Greenhorn
Posts: 3
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, Tim. I'll take a look at those.

However, the more I think about it, the more I think I haven't really understood the question myself. It doesn't make sense for a servlet to run as the user who called it.

I'm still interested to know how to secure web applications and web services in different contexts, and possibly different containers, and how to manage access using roles. I think it makes more sense to define security at the web service level, but the user authenticates against the web application.

If anyone has any advice I'd be interested in hearing from you.

Kind regards

Steve
 
Tim Moores
Bartender
Posts: 2500
10
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The usual way to secure SOAP WS is to use WS-Security, which is supported by all major SOAP stacks. It provides for username/password authentication, encryption, and digital signing.
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic