|
HTTP basic authentication for web service There is a simple way to authenticate a web service client - a way that often gets lost in the discussion of web service security standards, digital signatures, encryption and WS-Security. Now, WS-I only recognizes soap over http, which means soap messages are sent across the wire as http requests and responses. If you intercept a web service request or response using a monitor, you will see soap content inside the http header. For a soap over http request, we can use http basic authentication to authenticate the web service request. Form based authentication will not work here because the web service client cannot fill out a form. The figure below show how this would work conceptually. 
Figure1: Web service authentication using http basic authentication Using servlet security to setup http basic authentication For an ejb implementation of a web service, you have to put a servlet (or, theoretically, a jsp) in the front. Such a servlet (typically generated automatically) would listen to http requests and delegate the request to the ejb or java bean. You can configure http basic authentication on this servlet as shown in the code snippet of web.xml of the servlet (typically known as http router servlet in WebSphere world). The steps to make it work are outlined below: - Implement ejb and expose it as a web service (or generate ejb implementation from wsdl)
- Configure security on ejb e.g. secure the web service method such that only users in a specified role could invoke that service. If the intent is to do both authentication and authorization, it is important to configure security on ejb
- Generate the router servlet and configure http basic security in web.xml
- Set the security credentials in the client code so that the credentials go with the soap request
- Turn on the application security in your application server
- Map roles defined in the application to a user or a group in a user registry
In the next installment, I will create a hello world ejb. The ejb will print the username and whether the user is in 'ValidUser' role, which we will define as part of the security configuration. I will also show how to set username and password in the web service client. I will use WebSphere Application Server V6.1, Apache Directory Server (as user registry) and RAD. A word of caution Before I end this discussion, I want to mention a few things. http basic authentication is not always the best way to implement web service security. This approach works only when the security requirements are simple and when the client is able to set the security credentials in http request. Not all clients are able to do so. As we will see in the next installment, a JAX-RPC client can do this by setting username and password properties on the javax.xml.rpc.Stub or javax.xml.rpc.Call. Also, by default, credentials set through http basic authentication are passed as a clear text within the http request - not safe when request comes from outside the network. When request comes from outside the network, https can be used. Finally, in this approach, the security credentials are NOT available in the soap message, they are available in http header. If your implementation requires processing of soap based on credentials, this approach will not work. In such a situation, you can use user token or ws-security. I used this approach successfully for a web application that required authentication and authorization. The new requirements mandated exposing the ejbs as web services because some clients didn't want to use the UI we provided. Both client and service were written in Java.
|
