1

I am developing a web service using Spring framework for Java and deploy on JBoss AS. This web service needs authentication and authorization and security solution so that some method user A can execute and some other user B can execute. At client side, there will be an application calling to the web service and people may log in using either user account A or B.

I have been digging out the Internet, searching for web service authentication, researching on WS-Security but all that I can see is using WS-Security. WS-Security generally supplies 4 kinds of authentication:

  • UsernameToken
  • X.509 Token
  • SAML Token
  • Kerberos Token

But all those things are usually pre-configured and I find no example that suggest I should provide login/logout methods in the web service (by using stateful web service). Note that in case we use login methods then there are security risks even if the underlying is SSL transport.

So my question is:

  1. What should I do to satisfy my requirements?
  2. If using UsernameToken or Kerberos Token ... and we provide some privileges per user, i.e authorization, then for each incoming request, we must get the user information and get all its privileges. This process seems take time and decrease performance of the system. Do you agree? So I guess this is not recommended?

I would thank you so much for any response and will vote for any reasonable answer.

longbkit
  • 1,218
  • 1
  • 13
  • 20

2 Answers2

2

Your scenario mirrors that of EBay Trading API's.

Basically, it works as follow.

  1. Provide a intial WS call (Ebay case: FetchToken) which confirms user's identity and return back authorization key (unique key for each logged in user). Store the authorization key along with user profile information in a cache/distributed cache .
  2. Any subsequent call required client to pass the authorization key along with the data for the call. You will use the authorization key to get user profile information.
  3. Provide the log out WS call. This invalidates the authorization key.

All the WS invocations should happen over SSL for security.

Mat
  • 202,337
  • 40
  • 393
  • 406
Rama Krishna Sanjeeva
  • 417
  • 3
  • 5
1

  1. If your service is point to point, ssl is enough. Mutual ssl (Mutual_authentication) is widely used for client authN and authZ.

  2. If you concert about performance of system, looking at SAML. SAML is a signed XML document that contains authN and authZ for client, that means you do not need to loop up on the server for client authN and authZ.

hyo1411
  • 81
  • 2
  • My system is end-to-end solution. At the client side there may be many users using a same computer, each with different privileges. So I think "log in" method should be provided to client even though it's rarely mentioned over the Internet. – longbkit Aug 05 '11 at 14:58