Use an authentication token of some kind that, if the client is already authenticated, is enclosed with each subsequent request.
If you are using SOAP, the token can be placed in a SOAP header block.
do i need to use SSO sever to get authentiaction token like SAML token?
and which SSO server fit in this case?
i need SSO Server that does not need changing code, just need configuration
i look at JBoss Federated SSO but it need to work with JBoss Application Server
SSO is an overkill if you do not plan to actually use a single sign on feature. You can maintain a hash map of session tokens on the web service. When a user authenticates, send that token in the response, the first time. For subsequent calls, the client will send this token to you and you can validate against the hash map.
A word of caution regarding authentication tokens: Be aware that it is possible for 3rd party to listen to the traffic of a client and make a copy of a token. It is preferable if the token cannot be used by a 3rd party to access the service.
Personally, I would choose an existing security implementation that is known to be able to avert attacks such as stealing tokens.
WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop