views:

358

answers:

3

I'd like to secure my (Java metro) webservice with a login.

Here's how I'm planning to do that:

Steps required when calling a webservice method are:

  1. call login(user,pwd), receive a session token 1.1 remember the token
  2. call servicemethod (token, arg1, arg2...)
  3. webservice checks if the token is known, if not throw exception otherwise proceed
  4. logout or timeout after x time periods of inactivity

my questions: 1. what's your opinion on this approach? does it make sense? 2. are there any libraries which take the burden of writing a session handling (maybe with database persistence to survive app restarts)

(the solution should be simple and easily usable with Java and .NET clients)

thanks!

+1  A: 

Don't immediately jump into implementing this yourself from the ground up. Many J2EE containers / Java frameworks offer support for login / access control. Take a look at the documentation for the framework you are currently using.

Another simple alternative is to implement access control in a front-end webserver; e.g. Apache HTTPD acting as a reverse proxy for Tomcat.

Stephen C
A: 

This is feasible and I've seen web services using a similar approach. But I wouldn't implement my own custom solution. Instead, I would use a Security Token from the WS-Security specification and, more precisely a Username Token (you get this from WSIT which is part of Metro and is thus interoperable with .NET clients). Have a look at this article for an introduction.

Update: More pointers:

I can't say that I found WS-Security very friendly but, still, my experience is that using WS-Security takes less time than implementing a custom solution, is more secure and scales better (checking the database at each call has a cost).

Pascal Thivent
I created a stateful java service but when I use it with asp.net I get the following error: "This is a stateful web service and {http://jax-ws.dev.java.net/xml/ns/}objectId header is required." .. any ideas?
hubertg
Thanks for the link but honestly - to me this all looks quiet complicated. Do you have an example how to use the Username Token? And especially with a ASP.NET client? I'm really stuck, to me it seems like not many people are using this yet.
hubertg
A: 

I've thought about trying out Apache Shiro, I can't really say if its any good. Looks good though.

msung