In MZ's notes, only two forms of authentications are available for JEE web services:
1. Basic authentication
2. digest authentication
3. form based authentication
4. HTTPS based authentication
5. Kerberos authentication
The correct options are 1.basic and 4 HTTPS authentications according to MZ.
You need to differentiate between web apps and WS. For example, form-based auth only apply to web apps, there being no forms when WS are used.
Basic auth should not be used for WS, though - that's what WS-Security is for, at least for SOAP-based WS. I'm not sure if JEE requires WS-Security to be supported, though - but all major SOAP stacks do so.
Not quite. HTTPS auth can be server-only or client/server. It is actually unusual for HTTPS to be set up to require client auth.
You need to differentiate between WS as such, and WS as implemented on top of a standard Java web app. In the latter case, obviously you can use all the authentication methods Java web apps support. But that WS are implemented on top of servlets is not a given. For example, an EJB exposed as a WS would not work that way.
I think what that JEE WS document refers to may be what's required to be supported - it doesn't mean that you should necessarily use those methods, or that no other methods are available.
Joined: Jul 29, 2012
Let me fix my previous post.
CLIENT-CERT is actually refers to mutual authentication, not client authentication:
"In the CLIENT-CERT method, clients authenticate the server by asking the server for its digital certificate and the server also asks the client to provide its digital certificate to authenticate its identity. In this mode nothing is required to be done except that the client and the server must have a certificate issued by a certificate authority trusted by the other side."
(quote from http://refcardz.dzone.com/refcardz/getting-started-java-ee)
And also one more quote:
"Java EE containers provide some standard authentication mechanisms for using in the Web modules. These methods with their specification names are as follow:
HTTP Basic Authentication: BASIC
Digest Authentication: DIGEST
HTTPS Client Authentication: CLIENT-CERT
Form-Based Authentication: FORM"
I guess JEE containers means where the web applications including servlet, JSP, EJB are deployed. And web services can be deployed as servlets or EJBs.
subject: Only two authentication forms are available for Java EE web service?