my dog learned polymorphism*
The moose likes Servlets and the fly likes Servlet consuming secure web service Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Servlet consuming secure web service" Watch "Servlet consuming secure web service" New topic
Author

Servlet consuming secure web service

Steve Coombes
Greenhorn

Joined: Feb 09, 2012
Posts: 3
Hello

I have a web application on Glassfish secured with a custom realm, and a jax-ws web service also on Glassfish secured by the same realm. These might be on the same or different servers.

I am using form-based authentication to access the web application. I have configured Single sign-on so that one login works for all web applications on the server.

What I would like, is for a servlet in one of these applications to call the secure web service using the same single sign-on facility, i.e. as the same user. However, it doesn't seem to work with web services. And I know the username but not the password so I can't log in programmatically.


I think I need a single sign-on application but I'm not sure which one to use. OpenSSO looks promising but I don't know how much support it has since being dropped by Sun. I did look at CAS some time ago but I seem to remember that it supported HTTP 'Get' but not 'Post'.

I have a little knowledge of these things but am making decisions on security that I will have to live with for some time. I would be grateful if anyone could offer some advice.

Kind regards

Steve
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
I can't really help with the main question, but OpenSSO has become OpenAM and is still actively developed. JOSSO is another option.
Steve Coombes
Greenhorn

Joined: Feb 09, 2012
Posts: 3
Thanks, Tim. I'll take a look at those.

However, the more I think about it, the more I think I haven't really understood the question myself. It doesn't make sense for a servlet to run as the user who called it.

I'm still interested to know how to secure web applications and web services in different contexts, and possibly different containers, and how to manage access using roles. I think it makes more sense to define security at the web service level, but the user authenticates against the web application.

If anyone has any advice I'd be interested in hearing from you.

Kind regards

Steve
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
The usual way to secure SOAP WS is to use WS-Security, which is supported by all major SOAP stacks. It provides for username/password authentication, encryption, and digital signing.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Servlet consuming secure web service