wood burning stoves 2.0*
The moose likes Web Services and the fly likes Http Authentication vs Application Authentication? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Http Authentication vs Application Authentication?" Watch "Http Authentication vs Application Authentication?" New topic
Author

Http Authentication vs Application Authentication?

shai ban
Ranch Hand

Joined: Jan 05, 2010
Posts: 177
Hi all,
I was looking some code samples for WS authentication, but when I reached to the below link I became confused. They are talking about Http Authentication and Application authentication!!! What is the difference between them?

http://stackoverflow.com/questions/1613212/jax-ws-and-basic-authentication-when-user-names-and-passwords-are-in-a-database

Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
I would advise against either approach. The proper way to do username/password security is to use WS-Security, which is supported by all major JAX-WS implementations. Basic Authentication passes the password in cleartext (bad), and application authentication you would need to implement yourself (excellent opportunity to end up with an insecure system).


Ping & DNS - my free Android networking tools app
shai ban
Ranch Hand

Joined: Jan 05, 2010
Posts: 177
I think you didn't understand my question. Sorry, if I was not clear. Let me rephrase.

I am talking about both authentication through WS-Security only... then what is the difference? Please check the link I have provided.

Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
That's easy: username/password authentication in WS-Security is something entirely different than HTTP authentication (more properly called "basic authentication") or anything that your application implements on its own. So if you're specifically interested in WS-Security, then the question you posed does not make sense, because you'd use the WS-Security stuff.

Searching for "jax-ws ws-security usernametoken" or some such phrase should get you going, although the details will differ depending on which SOAP stack you're using. For example, the Metro documentation of this is in sections 13 and 14 in https://metro.java.net/guide/.
shai ban
Ranch Hand

Joined: Jan 05, 2010
Posts: 177
Thanks for your patience but could you please check the link I have provided. If you can provide explanation based on that, then it will be really helpful.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
I'm confused. First you asked about HTTP auth vs. application auth, then you said you didn't want to use either, but instead go with WS-Security, and now you're back to asking the original question. What exactly is your question?
shai ban
Ranch Hand

Joined: Jan 05, 2010
Posts: 177
I am confused now. For sending credentials through WS, we set it on the specific binding. Is that WS-security? What are other mechanisms for authentication? HTTP authentication is for server I guess. Means client will set the above credentials. Right?
I don't know if you are getting my doubts. But I am in doubt what type of basic authentication we have and where we nee to implement it (server/client)?

Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
OK, so you don't know how any of the authentication (just "auth" henceforth) methods work. That's fine, we can hopefully clear that up. First off, any auth method requires changes to the client as well as the server. The client needs to send the credentials, the server needs to process the credentials, and both need to agree on a way to do that.

Basic authentication is an HTTP-only method of auth, and sends username and password basically unencrypted in an HTTP header. It should never be used without at least also using SSL to encrypt the connection.

WS-Security auth is a SOAP-specific approach, which sends the credentials in SOAP headers. I advise to use this in favor of basic auth, as it has several advantages, even though it's slightly harder to set up.

Application auth means any approach where the application sends the credentials in some other way that's known to both the client and the server (in the context of SOAP maybe a set of SOAP elements). I advise against doing this, as security is generally hard to get right, and it's too easy to end up with an insecure system. It's better to rely on readily available and fully-debugged solutions professionals have already put in place for you to use.
shai ban
Ranch Hand

Joined: Jan 05, 2010
Posts: 177
I think I got it now. Thanks for your patience and nice explanation.
 
Don't get me started about those stupid light bulbs.
 
subject: Http Authentication vs Application Authentication?
 
Similar Threads
Setting wsse:Security from Java swing client
Implementing SSL, JAX-WS Webservice IBM websphere JAX-WS runtime
JAX-WS Authentication problem -javax.xml.ws.WebServiceException Response: '401: Unauthorized'
Can you call a local WS without creating proxy classes?
New article: Web Services Authentication with Axis 2