File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services Certification (SCDJWS/OCEJWSD) and the fly likes Can we use both XACML and basic authentication in a container managed WS for authorization? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Services Certification (SCDJWS/OCEJWSD)
Bookmark "Can we use both XACML and basic authentication in a container managed WS for authorization?" Watch "Can we use both XACML and basic authentication in a container managed WS for authorization?" New topic
Author

Can we use both XACML and basic authentication in a container managed WS for authorization?

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 758
In EPractice Lab, a question "An organization has business logic implemented in EJB components. Current clients use container-managed, role-based security to access the business logic using RMI. Management has determined that the business logic must be made available to non-RMI clients using a web service.
Which container managed web service security mechanism must the development team use to allow web service clients to use the current security model?"

Choice:
A XKMS
B. XACML
C. XML digital signature
D. HTTP basic authentication
E annotations mapped to the JAX-WS-runtime.

I believe the answer can be D and B. Users are authenticated first using basic authentication and then being authorized using XAMCL architecture 's PEP and PDP.

But the given answer is only D. The explanation by EPractice Lab "A simple way to provide authentication data for the service client is to authenticate to the protected service endpoint by using HTTP basic authentication. HTTP basic authentication users a user name and password to authenticate a service client to a secure endpoint."

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 758
This is an example showing how to use XACML to secure a web service.
https://community.jboss.org/wiki/ProtectingEJBwebserviceswithXACMLAbeginnerstutorial?_sscc=t

Basic authentication is used. The user input his/her credentials in the web service client using BindingProvider's USERNAME_PROPERTY and PASSWORD_PROPERTY.
XACML is used as well. There is a xacml-policy.xml in META-INF directory that defines rules and policy such that only bob with role1 can access the echo method/operation in SecureEndpointService.
David Brossard
Ranch Hand

Joined: Jun 03, 2004
Posts: 109
Hi,

The question is wrong. First of all, it asks for

Himai Minh wrote:Which container managed web service security mechanism must the development team use to allow web service clients to use the current security model?"


And it suggests the following answers:

Himai Minh wrote:
Choice:
A XKMS
B. XACML
C. XML digital signature
D. HTTP basic authentication
E annotations mapped to the JAX-WS-runtime.


None of these are web service security mechanisms. At best, annotations (which?) mapped to the JAX-WS runtime could considered as a potential answer.
HTTP Basic authentication is a mechanism through which a user can be authenticated. It largely pre-dates web services. It is not specific to web services and in a way, it's not even a recommended way to authenticate for web services, though it does work fine.

XKMS and XACML are not about authentication but rather key management and attribute-based access control respectively.
XML digital signature is about signing XML content. It is not specific to web services and it is not about authenticating but rather proving the authenticity of content and that it has not been tampered with.

Going back to your original question: Can we use both XACML and basic authentication in a container managed WS for authorization?

The anwer is yes. You can use HTTP basic authentication (or any other means of authN e.g. SAML) to authenticate the users and services trying to access your web service. You definitely want to have the authentication container-managed. What that means is that the application / web service / web app / API you are developing and installing in the container does not need to worry about authentication. It's handled by the container.

You can then use XACML (eXtensible Access Control Markup Language) to define XACML policies (access control policies) and then protect your web services. You would typically do that using either of a Servlet filter or a JAX-WS handler. They then act as a Policy Enforcement Point (PEP) which creates a XACML authorization request which is then sent to the Policy Decision Point (PDP).

I hope this clarifies things.

Cheers,
David.


No matter what they say in Ohio, we're still first in flight!
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 758
Hi, David. Thanks for your explanation.
I agree that XML digital signature,XML encryption and HTTP basic authentications are not WS-security mechanisms. These three technologies are actually used by WS-security mechanisms to implement security during SOAP message exchange between a client and a server.

According to this web site :https://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac55640_.htm,
The WS-Security mechanisms are:
1. Authentication
- using username token ( that means basic authentication using username and password)
- using X509 certificate
2. Integrity
- using XML signature
3. Confidentiality
- using XML encryption

Obviously, WS-Security does not have a mechanism implementing access control (authorization). That is why we need the XACML architecture (PEP, PDP, PRP, PIP) to determine if a subject ( eg. a user) who has some attributes are allowed to access a resource. Eg A user with role attribute = administrator is permitted to the update DB.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Can we use both XACML and basic authentication in a container managed WS for authorization?