CODEWITHSUNDEEP
javaweb-servicesws-security
longbkit
longbkit

Reputation: 1308

Secured authentication in web service

I am developing a web service using Spring framework for Java and deploy on JBoss AS. This web service needs authentication and authorization and security solution so that some method user A can execute and some other user B can execute. At client side, there will be an application calling to the web service and people may log in using either user account A or B.

I have been digging out the Internet, searching for web service authentication, researching on WS-Security but all that I can see is using WS-Security. WS-Security generally supplies 4 kinds of authentication:

But all those things are usually pre-configured and I find no example that suggest I should provide login/logout methods in the web service (by using stateful web service). Note that in case we use login methods then there are security risks even if the underlying is SSL transport.

So my question is:

  1. What should I do to satisfy my requirements?
  2. If using UsernameToken or Kerberos Token ... and we provide some privileges per user, i.e authorization, then for each incoming request, we must get the user information and get all its privileges. This process seems take time and decrease performance of the system. Do you agree? So I guess this is not recommended?

I would thank you so much for any response and will vote for any reasonable answer.

Upvotes: 1

Views: 787

Answers (2)

Rama Krishna Sanjeeva
Rama Krishna Sanjeeva

Reputation: 427

Your scenario mirrors that of EBay Trading API's.

Basically, it works as follow.

  1. Provide a intial WS call (Ebay case: FetchToken) which confirms user's identity and return back authorization key (unique key for each logged in user). Store the authorization key along with user profile information in a cache/distributed cache .
  2. Any subsequent call required client to pass the authorization key along with the data for the call. You will use the authorization key to get user profile information.
  3. Provide the log out WS call. This invalidates the authorization key.

All the WS invocations should happen over SSL for security.

Upvotes: 2

hyo1411
hyo1411

Reputation: 81

  1. If your service is point to point, ssl is enough. Mutual ssl (Mutual_authentication) is widely used for client authN and authZ.

  2. If you concert about performance of system, looking at SAML. SAML is a signed XML document that contains authN and authZ for client, that means you do not need to loop up on the server for client authN and authZ.

Upvotes: 1

Related Questions