I have a web application on Glassfish secured with a custom realm, and a jax-ws web service also on Glassfish secured by the same realm. These might be on the same or different servers.
I am using form-based authentication to access the web application. I have configured Single sign-on so that one login works for all web applications on the server.
What I would like, is for a servlet in one of these applications to call the secure web service using the same single sign-on facility, i.e. as the same user. However, it doesn't seem to work with web services. And I know the username but not the password so I can't log in programmatically.
I think I need a single sign-on application but I'm not sure which one to use. OpenSSO looks promising but I don't know how much support it has since being dropped by Sun. I did look at CAS some time ago but I seem to remember that it supported HTTP 'Get' but not 'Post'.
I have a little knowledge of these things but am making decisions on security that I will have to live with for some time. I would be grateful if anyone could offer some advice.
I can't really help with the main question, but OpenSSO has become OpenAM and is still actively developed. JOSSO is another option.
Joined: Feb 09, 2012
Thanks, Tim. I'll take a look at those.
However, the more I think about it, the more I think I haven't really understood the question myself. It doesn't make sense for a servlet to run as the user who called it.
I'm still interested to know how to secure web applications and web services in different contexts, and possibly different containers, and how to manage access using roles. I think it makes more sense to define security at the web service level, but the user authenticates against the web application.
If anyone has any advice I'd be interested in hearing from you.
Joined: Sep 21, 2011
The usual way to secure SOAP WS is to use WS-Security, which is supported by all major SOAP stacks. It provides for username/password authentication, encryption, and digital signing.