Java – jax-ws, authentication and authorization – how?
What is the best way to authenticate and authorize in a web service?
I am developing a set of Web services that require role - based access control Using Metro – soap, simple java has no EJB
>I want to authenticate the user once, using the user name and password to match with the database On subsequent calls. > I want to use some kind of session management It may be some session IDs. When logging in, the client is retrieved and all calls are rendered
To date:
>Read authentication using a database – but I want application level authentication;
>Read application authentication with Jax WS – but I don't want to do authentication every time; > I think I can use a soap handler to intercept all messages and execute authorization control in the actuator. I can use some session identifier tokens. The message can match the identifier stored in the database and log in to the web method
Edit:
I have some questions:
>How do I know the name of the called web method? > What kind of token should I use? > How do I pass this token between calls?
Edit 2
Because @ ag112 answer:
I'm using GlassFish
I use WS policy and WS security to encrypt and sign messages Use mutual certificate authentication I want to add this message level security between applications. User authentication and authorization are also at the message level
I just develop services. I hardly know clients, but they can be created in different languages
At this point, I think the most important thing is to do what I need to do to authenticate and authenticate users, the easiest way for me to implement client applications
Solution
@Louis: This is my input
The exact solution to your problem depends on the type of web service client you expect, whether you can control the web service client system, application server, etc But assuming that you have no control over the web service client, you are just a SOAP message transmitted over HTTP. Here is a possible solution
Of course, you can perform session management and message level or transport level authentication This means that you can have session token and authentication token information in SOAP messages, or you can use standard HTTP session and HTTP authentication mechanisms
Of course, if the transport layer is HTTP, the transport layer solution is much simpler and wider in the industry For message level, WS specifications such as WS security can be used Each of your web service requests is a simple HTTP get / post identified by a unique HTTP URI Usually in Jax WS metro environment, wsservlet is the entry servlet for any web service call, and finally delegates the call to the correct service provider implementation class Since your application will be deployed in the web server, you can take advantage of all the session and authentication functions provided by the J2EE Web container
Since you are looking for role-based access control, I will use the standard < Web Resource Collection > on the web XML specifies which role you want to use in the case of a specific HTTP URI You can use the standard JAAS login module, which can authenticate and populate JAAS topics with roles If the user name / password is provided in the soap XML, the JAAS login module can also search / parse the soap XML to retrieve this information The JAAS / app server will automatically create an auth token and store it as a cookie so that each subsequent request does not need to pass the authentication process again This is all the J2EE standards You can find a lot of help on the Internet Please let me know your application server so that I can provide you with more details
If you still want to use soap message level session management, the authentication & authorization process, and then provide you with more details to learn more about the client
Edit1: according to your further input, here are my more ideas: message security, that is, encryption and signature need to occur, and each message propagates between the server and the client Authentication as a message – you intend to do it once and send a session token / authentication token to the client for subsequent calls
The problem still exists: if you place a unique session identifier in the soap response for the first authentication, you want the client to parse the soap response XML and ensure that the client sends you the session identifier each time in a subsequent soap request Either you want to keep session management transparent, and the client needs to send a user name / password token first, and subsequent calls do not need any user name / password token In this case, you will need to rely on transport - based session management HTTP Cookie
What works best for you now depends on your use case Can you tell me what the expected use case flow is? How can another system (Web service client) make multiple service calls to the system? Is it another system user driven / some background processes? What is the exact need that you only want the first service call to pass the authentication process rather than subsequent calls?
PS: GlassFish server provides a way to configure message authentication providers, which can automatically enable / disable message level authentication
Edit2: I understand that you don't want to store user credentials in client applications. The web server needs these user credentials OAuth is an open standard protocol that allows site a to access user private data on site B The final idea is that site a obtains an authentication token with a specific expiration time Therefore, tokens encrypted from user credentials or jsession ID can help you avoid re authentication You only need to decide where to keep the token in the client application. If the transmission is HTTP protocol, you can save the token as a cookie
As I said, it seems easy and direct to pass user credentials every time