4

When developing a Web service(Hospital Management System) using Java EE, is it necessary that for each Web Service call, it has to be checked that the user is logged in??

Which authentication method is the best JAAS, WS-Security, SAML, or a combination or using own tokens??

Community
  • 1
  • 1
nkvp
  • 342
  • 1
  • 8
  • 15

2 Answers2

1

You can use filters.

Here's an example of how to use filters:

http://viralpatel.net/blogs/2009/01/tutorial-java-servlet-filter-example-using-eclipse-apache-tomcat.html

Basically you define the url's where you want the filters to apply, the filter authorizes the user and then calls chain.doFilter(request, response); to call the requested method after authorization.

You can also take a look at this jax-rs rest webservice authentication and authorization

Personally, I use tokens for authorization.

Community
  • 1
  • 1
Timo89
  • 521
  • 5
  • 16
  • ok.... but Is it better for login to be implemented in a J2EE web service application by storing the UserPrincipal in the SessionContext and retrieving it every time a method is called programmatically to use e.g say PATIENT A buys a medicine, is it good programming practice to store the UserPrincipal in SessionContext, and retrieve the userid from it to use in the transaction, or, is it better to pass a token every time for each transaction and store all users logged in and the tokens issued in a table, so that when the purchase is done, the token can be used to retrieve the user id? – nkvp Feb 04 '12 at 18:15
  • In my design I use tokens which I store locally in a database. However, I'm not 100% convinced that this design is ok. Take a look at this question I posted, maybe we get a good answer here: http://stackoverflow.com/questions/9185362/authentication-and-authorization-for-a-given-scenario – Timo89 Feb 08 '12 at 07:40
1

It all depends on how is your web service implemented/or its going to be. If you still have a choice I would recommend going with REST approach, authenticate the user with some kind of login functionality and then maintain users session.

Kris
  • 5,714
  • 2
  • 27
  • 47
  • Is it better for login to be implemented in a J2EE web service application by storing the UserPrincipal in the SessionContext and retrieving it every time a method is called programmatically to use e.g say PATIENT A buys a medicine, is it good programming practice to store the UserPrincipal in SessionContext, and retrieve the userid from it to use in the transaction, or, is it better to pass a token every time for each transaction and store all users logged in and the tokens issued in a table, so that when the purchase is done, the token can be used to retrieve the user id? – nkvp Feb 04 '12 at 18:16