Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

User authentication in SOAP Webservices

Tags:

java

soap

jax-ws

ws-security

I made a question about JAX-WS, Authentication and Authorization - How to?; there was a discussion about security levels, and where to store user credentials.

Now after some conclusions, I want to try one of those scenarios:

  • SOAP web services - metro
  • Message level security - Mutual certificate authentication, to authenticate the client application
  • User credential in the Soap Header

How to get the credentials and do the authorization? I have 2 ideas:

  • JAAS (I don't know anything about this);
  • SOAP handler - using the WebServiceContext to extract the credentials from the message and do the authorization "by hand".

Can you help me to decide the best way, and how to implement it?

Remember that I want mutual certificate, plus a user token.

like image 823
lpinto.eu Avatar asked Oct 14 '11 11:10

lpinto.eu

People also ask

What is authentication type in SOAP message?

Authentication standardsBasic/Digest/NTLM authentication - Uses HTTP headers to identify users. WS-Security SAML and Username Tokens - SOAP/XML based authentication, passes credentials and assertions in SOAP message headers, optionally signed and encrypted.

How do I pass a user ID and password in SOAP header?

ClientCridentials. UserName. Password = "testPass"; In this way you can pass username, password in the header to a SOAP WCF Service.

1 Answers

JAAS does not define how the authentication information should look like in SOAP, but WS-Security defines what kind of standardized tokens you can use during client-server exchange (Username+password token / X.509 certificate / SAML token / Kerberos Token).

EDIT: With respect to Metro WebService stack, you need (steps taken from here and here):

  • Inject the handler, that implements javax.xml.ws.handler.soap.SOAPHandler to JAX-WS handler chain either programmatically via ((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler)) or declaratively by adding @HandlerChain(file = "handlers.xml") annotation to your WS endpoint interface.
  • The handler should create XWSSProcessor instance using XWSSProcessorFactory, which is passed the callback handler that implements javax.security.auth.callback.CallbackHandler.
  • The callback handler e.g. defines a validator on callback (depends on callback type).

This is the same as "doing by hand" (as the 1st step is to intersect the SOAP message anyway), with some WSS sugar on top. But WSIT (and CXF) use JAAS API and they provide standard implementations for various authentication tokens. Enabling them needs some configuration / coding efforts, but the benefit is that if you later decide to switch from plainttext to Kerberos authentication, you don't need to code a lot. Also "doing by hand" means that you need to deal with authentication information on XML level and what you'll do is implementing one of the standards.

I suggest using Apache CXF that bases on WSS4J – the WS-Security implementation from Apache. You can easily find tutorials (e.g. here and here for Username+password, here and here for SAML) that show to define callback / interceptors to verify authentication information. The advantage of CXF is that it has nice integration with Spring.

like image 171
dma_k Avatar answered Sep 19 '22 18:09

dma_k
Sign in to Comment

Related questions

Java se "occurred during initialization of VM"
Hadoop mapreduce : Driver for chaining mappers within a MapReduce job
Generics - Legal alternative for (elements instanceof List<? extends Comparable>)
Apache Camel - transaction in routes
Convert pixel location to latitude/longitude & vise versa
Implementation of equals(): compare against implemented interface or implementing class?
Jenkins can't launch selenium tests (Timed out waiting for profile to be created)
JFrame : Getting actual content size
Java Heap Space - How does -Xmx work exactly?
JavaFX 2: Get TableCell Row Index
(A better way to) Get files within a project using Eclipse and XText
Spring HttpRemoting client as a Java Configuration Bean
Does creating a File object create a physical file or touch anything outside the JVM?
JFormattedTextField issues
Check if Cookie exists with JSP EL
Testing interactions with external services
How to handle generics inside a Java "annotation processor"?
EC2 Java Api Wait till Ec2 Instance gets created.
Load balanced service using Zookeeper and Thrift
Clearing session, flushing, refreshing, after hibernate bulk updates?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!