aspose file tools*
The moose likes Web Services Certification (SCDJWS/OCEJWSD) and the fly likes Only two authentication forms are available for Java EE web service? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of JavaScript Promises Essentials this week in the JavaScript forum!
JavaRanch » Java Forums » Certification » Web Services Certification (SCDJWS/OCEJWSD)
Bookmark "Only two authentication forms are available for Java EE web service?" Watch "Only two authentication forms are available for Java EE web service?" New topic
Author

Only two authentication forms are available for Java EE web service?

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 792
In MZ's notes, only two forms of authentications are available for JEE web services:
Option:
1. Basic authentication
2. digest authentication
3. form based authentication
4. HTTPS based authentication
5. Kerberos authentication

The correct options are 1.basic and 4 HTTPS authentications according to MZ.

Tthis JEE 6 tutorial at http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html,
it says "Java EE platform supports basic authentication, form based authentication, digest authentication, client authentication and mutual authentication"

So, should I choose option 1, 2, 3, 4 instead of only 1 and 4?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42585
    
  65
You need to differentiate between web apps and WS. For example, form-based auth only apply to web apps, there being no forms when WS are used.

Basic auth should not be used for WS, though - that's what WS-Security is for, at least for SOAP-based WS. I'm not sure if JEE requires WS-Security to be supported, though - but all major SOAP stacks do so.


Ping & DNS - my free Android networking tools app
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 792
Thanks for your quick response:
According to this article: http://download.oracle.com/otn-pub/jcp/websvcs-1.3-mrel2-evaluate-oth-JSpec/websvcs-1_3-final-spec.pdf?AuthParam=1396117574_b0bad0dc7a520028414b3352ed29327f
It says web services supports two forms of authentication Basic authentication and symmetric https (that is HTTPS authentication).

So, that means web services only support basic and symmetric https, but not form based or digest authentication while JEE platform supports form based / digest /kerberos authentication ?
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 792
One more point, I agree that basic authentication is not commonly used for web services.
But in web.xml for deploying a web service, we can define this :


In this case, we can still use client certification for JEE web service. But why only basic/symmetric https are only supported according to MZ's notes?

I believe nowadays, client authentication is also supported in web services.
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 792
To answer my own question, https authentication includes server authentication and client authentication.
Reference: http://technet.microsoft.com/en-us/library/cc736680%28v=ws.10%29.aspx
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42585
    
  65
Not quite. HTTPS auth can be server-only or client/server. It is actually unusual for HTTPS to be set up to require client auth.

You need to differentiate between WS as such, and WS as implemented on top of a standard Java web app. In the latter case, obviously you can use all the authentication methods Java web apps support. But that WS are implemented on top of servlets is not a given. For example, an EJB exposed as a WS would not work that way.

I think what that JEE WS document refers to may be what's required to be supported - it doesn't mean that you should necessarily use those methods, or that no other methods are available.
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 792
Let me fix my previous post.

CLIENT-CERT is actually refers to mutual authentication, not client authentication:

"In the CLIENT-CERT method, clients authenticate the server by asking the server for its digital certificate and the server also asks the client to provide its digital certificate to authenticate its identity. In this mode nothing is required to be done except that the client and the server must have a certificate issued by a certificate authority trusted by the other side."
(quote from http://refcardz.dzone.com/refcardz/getting-started-java-ee)

And also one more quote:
"Java EE containers provide some standard authentication mechanisms for using in the Web modules. These methods with their specification names are as follow:
HTTP Basic Authentication: BASIC
Digest Authentication: DIGEST
HTTPS Client Authentication: CLIENT-CERT
Form-Based Authentication: FORM"

I guess JEE containers means where the web applications including servlet, JSP, EJB are deployed. And web services can be deployed as servlets or EJBs.

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Only two authentication forms are available for Java EE web service?