Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Can we use both XACML and basic authentication in a container managed WS for authorization?

 
Himai Minh
Ranch Hand
Posts: 1229
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In EPractice Lab, a question "An organization has business logic implemented in EJB components. Current clients use container-managed, role-based security to access the business logic using RMI. Management has determined that the business logic must be made available to non-RMI clients using a web service.
Which container managed web service security mechanism must the development team use to allow web service clients to use the current security model?"

Choice:
A XKMS
B. XACML
C. XML digital signature
D. HTTP basic authentication
E annotations mapped to the JAX-WS-runtime.

I believe the answer can be D and B. Users are authenticated first using basic authentication and then being authorized using XAMCL architecture 's PEP and PDP.

But the given answer is only D. The explanation by EPractice Lab "A simple way to provide authentication data for the service client is to authenticate to the protected service endpoint by using HTTP basic authentication. HTTP basic authentication users a user name and password to authenticate a service client to a secure endpoint."

 
Himai Minh
Ranch Hand
Posts: 1229
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is an example showing how to use XACML to secure a web service.
https://community.jboss.org/wiki/ProtectingEJBwebserviceswithXACMLAbeginnerstutorial?_sscc=t

Basic authentication is used. The user input his/her credentials in the web service client using BindingProvider's USERNAME_PROPERTY and PASSWORD_PROPERTY.
XACML is used as well. There is a xacml-policy.xml in META-INF directory that defines rules and policy such that only bob with role1 can access the echo method/operation in SecureEndpointService.
 
David Brossard
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

The question is wrong. First of all, it asks for

Himai Minh wrote:Which container managed web service security mechanism must the development team use to allow web service clients to use the current security model?"


And it suggests the following answers:

Himai Minh wrote:
Choice:
A XKMS
B. XACML
C. XML digital signature
D. HTTP basic authentication
E annotations mapped to the JAX-WS-runtime.


None of these are web service security mechanisms. At best, annotations (which?) mapped to the JAX-WS runtime could considered as a potential answer.
HTTP Basic authentication is a mechanism through which a user can be authenticated. It largely pre-dates web services. It is not specific to web services and in a way, it's not even a recommended way to authenticate for web services, though it does work fine.

XKMS and XACML are not about authentication but rather key management and attribute-based access control respectively.
XML digital signature is about signing XML content. It is not specific to web services and it is not about authenticating but rather proving the authenticity of content and that it has not been tampered with.

Going back to your original question: Can we use both XACML and basic authentication in a container managed WS for authorization?

The anwer is yes. You can use HTTP basic authentication (or any other means of authN e.g. SAML) to authenticate the users and services trying to access your web service. You definitely want to have the authentication container-managed. What that means is that the application / web service / web app / API you are developing and installing in the container does not need to worry about authentication. It's handled by the container.

You can then use XACML (eXtensible Access Control Markup Language) to define XACML policies (access control policies) and then protect your web services. You would typically do that using either of a Servlet filter or a JAX-WS handler. They then act as a Policy Enforcement Point (PEP) which creates a XACML authorization request which is then sent to the Policy Decision Point (PDP).

I hope this clarifies things.

Cheers,
David.
 
Himai Minh
Ranch Hand
Posts: 1229
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, David. Thanks for your explanation.
I agree that XML digital signature,XML encryption and HTTP basic authentications are not WS-security mechanisms. These three technologies are actually used by WS-security mechanisms to implement security during SOAP message exchange between a client and a server.

According to this web site :https://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac55640_.htm,
The WS-Security mechanisms are:
1. Authentication
- using username token ( that means basic authentication using username and password)
- using X509 certificate
2. Integrity
- using XML signature
3. Confidentiality
- using XML encryption

Obviously, WS-Security does not have a mechanism implementing access control (authorization). That is why we need the XACML architecture (PEP, PDP, PRP, PIP) to determine if a subject ( eg. a user) who has some attributes are allowed to access a resource. Eg A user with role attribute = administrator is permitted to the update DB.
 
Ramy Nady
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello All ,

I also face the same question.
I believe the correct answer is E since the question talking about container-managed mechanism.

What do you think the best correct answer among those questions?
 
Himai Minh
Ranch Hand
Posts: 1229
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The annotations like @RolesAllowed, @PermitAll, @DenyAll and etc are used by the EJB container to authorize the user.
But authorization is typically not done by any web container although some vendor specific web container does authorization.
 
Ramy Nady
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Himai Minh wrote:The annotations like @RolesAllowed, @PermitAll, @DenyAll and etc are used by the EJB container to authorize the user.
But authorization is typically not done by any web container although some vendor specific web container does authorization.


So why the correct answer is D here ?
 
Himai Minh
Ranch Hand
Posts: 1229
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The web container first authenticates the user using basic authentication.
Then, the EJB container authorizes the user.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic