tags:

views:

639

answers:

3
+1  Q: 

Centralized Authentication and Authorization for several Web Services

There are several different web services -- various technologies used, such as Java, .NET, Python, Perl, and possibly more in the future -- belonging to different organizations, and the access to those web services has to be restricted.

The idea is to have a central authentication and authorization server, only responsible for granting access to each WS.

I'm looking for a Single Sign On system in which the user authenticates once with the auth server and is granted access to the web services for a limited timespan.

The security requirements are high, so a username/password set isn't enough.

In a quick search I found many different solutions and approaches to the problem, but I don't know the best one for this case -- a technology independent, secure and reliable solution.

A: 

Isn't this exactly what OpenID is for?

By all means correct me if I'm wrong.

Sneakyness  2009-07-22 08:33:41
No, OpenID is not exactly for this.OpenID is "an open and decentralized identity system". We already considered using OpenID for the authentication part of the system, but we also need to manage authorization (with ACL's) and on that matter OpenID doesn't help.Also any person can have an OpenID -- for instance if you have a gmail account you already have one -- and we need to control which persons will have access to the system.
TNunes  2009-07-22 13:41:09
It's open source though, couldn't you just create a fork that was private and go from there? I wasn't talking about using their servers, I was talking about using their code.
Sneakyness  2009-07-22 14:42:00
We already though about using OpenID as the authentication system and implement only the authorization logic ourselves. But no need to hack OpenID in my opinion. It allows us to assert identities and there's no need to stuff authorization logic inside it, as these functionalities can be implemented as another module aside.
TNunes  2009-07-22 17:37:29
+2  A: 

We did a big research on the subject and couldn't find a suitable solution too. (One nearly good solution, but not so much for webservices is http://www.atlassian.com/software/crowd/)

So we developed a sso and central user management system too for our WS applications (also third party apps) but it's not for sale.

If you test solutions, you should check the performance of the systems, special under load. In the beginning our systems were 30 times slower. Normally you'll find the slow down in the xml parsing and the number of request you have to do (normally where you had one request in the future you'll have at least 4). (We use jmeter to test it.) And you should setup fail over systems, because you'll create a single point failure with sso.

Beffa  2009-07-22 08:55:15
+1  A: 

This problem has been largely solved by WS-Trust, at least for SOAP-based web services anyway. WS-Trust is a well-defined protocol for validating and exchanging "authentication tokens", and can be used in cross-enterprise scenarios with protocols such as WS-Federation that are built on it.

One example scenario is to have the clients request a token from the WS-Trust server, then include that token in the SOAP header to the web service host. The flip side is to include something simple like <UsernameToken> in the request to the host, and have the server-side delegate authentication to the WS-Trust server.

There's pretty good client support for WS-Trust -- WCF has support out of the box, and various vendors have J2EE interceptors for JAX-RPC and JAX-WS web services.

While WS-Trust's focus is on authentication, you can do coarse-grained authorization by using logic about when to issue or validate a received token. Don't issue/validate the token, and access is effectively denied. Fine-grained authorization for web services will usually require some custom interceptors, which are vendor-specific.

I work for IBM Tivoli Security, and we have a few products in this space. The first is Tivoli Federated Identity Manager (TFIM). A colleague and myself wrote this article on integrating TFIM with WSE-based web services, and includes an overview of the WS-Trust protocol itself. The second product is Tivoli Security Policy Manager (TSPM), which implements fine-grained authorization for web services.

There are open source implementations of these same protocols, which is the upside of using a standards-based solution. I believe JBoss and WSO have implementations that might be useful.

craigforster  2009-11-09 04:53:00

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?