StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POJAX-WS, Authentication and Authorization - How to?
primarykey
Id
5314782
data
AcceptedAnswerId
7766940
AnswerCount
4
ClosedDate
CommentCount
2
CommunityOwnedDate
2011-10-11T08:19:26.397
CreationDate
2011-03-15T16:29:16.767
FavoriteCount
8
LastActivityDate
2011-10-14T11:28:23.243
LastEditDate
2017-05-23T12:02:50.280
LastEditorUserId
-1
OwnerUserId
660990
ParentId
0
PostTypeId
1
Score
11
ViewCount
9560
LastEditorDisplayName
text
Body
What is the best way to do authentication and authorization in web services? I am developing a set of web services, requiring role based access control. Using metro - SOAP, simple java without EJBs. <ul> <li>I want to Authenticate the user just one time, using username and password, to be matched against a data base. In the subsequent calls.</li> <li>I would like to use some kind of session management. Could be some session id, retrieved to the client at login, to be presented in all calls.</li> </ul> So Far: <ul> <li>Read <a href="https://stackoverflow.com/questions/1613212/jax-ws-and-basic-authentication-when-user-names-and-passwords-are-in-a-database"> authentication using a database</a> - but I want application level validation; </li> <li>Read <a href="http://www.mkyong.com/webservices/jax-ws/application-authentication-with-jax-ws/" rel="nofollow noreferrer">application authentication with jax-ws</a> - but i don't want to do the authentication mechanism every time;</li> <li>I think I can use a SOAP Handler, to intercept all the messages, and do the authorization control in the hander, using some session identifier token, that comes with the message, that can be matched against an identifier saved in the data base, in the login web method.</li> </ul> EDIT: I still have some questions: <ul> <li>How to know the name of the web method being called?</li> <li>What kind of token should I use?</li> <li>How to pass this token between calls?</li> </ul> EDIT 2 Because of @ag112 answer: I'm using Glassfish. I use WS-Policy and WS-Security to encrypt and sign the messages. Using Mutual Certificate Authentication. I would like to complement this message level security between applications, with the authentication and authorization for the users also in message level. I am just developing the services, and I don't know almost nothing the clients, just that they could be created in different languages. At this point I think the most important thing is to do what ever I need to do to authenticate and authentication the users, I the most easy way to be implemented for the client applications.
Tags
<java><web-services><authentication><jax-ws><access-control>
Title
JAX-WS, Authentication and Authorization - How to?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USlpinto.eu
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POJAX-WS, Authentication and Authorization - How to?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POJAX-WS, Authentication and Authorization - How to?
 UserUserId
 USTraderJoeChicago
 VoteTypeVoteTypeId
 VTFavorite
3. VO
 singulars
 PostPostId
 POJAX-WS, Authentication and Authorization - How to?
 UserUserId
 USlpinto.eu
 VoteTypeVoteTypeId
 VTBountyStart
CommentsPostId
1. CODid you know you may answer your own question? BTW, I think it's a good question and I'm surprised there weren't more responses. I'm not familiar with JAAS, but I did find this article: http://drdobbs.com/web-development/208402532. I looks like you went in the right direction. Cheers!
 singulars
 PostPostId
 POJAX-WS, Authentication and Authorization - How to?
 UserUserId
 USDavid J. Liszewski
2. COThanks for the help, finally someone! I created an answer as you said, wit the road so far. As soon as possible I will read the page you referred, thanks again!
 singulars
 PostPostId
 POJAX-WS, Authentication and Authorization - How to?
 UserUserId
 USlpinto.eu

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.