tags:

views:

358

answers:

3
+2  Q: 

How to secure Java webservices with login and session handling

I'd like to secure my (Java metro) webservice with a login.

Here's how I'm planning to do that:

Steps required when calling a webservice method are:

  1. call login(user,pwd), receive a session token 1.1 remember the token
  2. call servicemethod (token, arg1, arg2...)
  3. webservice checks if the token is known, if not throw exception otherwise proceed
  4. logout or timeout after x time periods of inactivity

my questions: 1. what's your opinion on this approach? does it make sense? 2. are there any libraries which take the burden of writing a session handling (maybe with database persistence to survive app restarts)

(the solution should be simple and easily usable with Java and .NET clients)

thanks!

+1  A: 

Don't immediately jump into implementing this yourself from the ground up. Many J2EE containers / Java frameworks offer support for login / access control. Take a look at the documentation for the framework you are currently using.

Another simple alternative is to implement access control in a front-end webserver; e.g. Apache HTTPD acting as a reverse proxy for Tomcat.

Stephen C  2010-03-31 07:58:35
A: 

This is feasible and I've seen web services using a similar approach. But I wouldn't implement my own custom solution. Instead, I would use a Security Token from the WS-Security specification and, more precisely a Username Token (you get this from WSIT which is part of Metro and is thus interoperable with .NET clients). Have a look at this article for an introduction.

Update: More pointers:

I can't say that I found WS-Security very friendly but, still, my experience is that using WS-Security takes less time than implementing a custom solution, is more secure and scales better (checking the database at each call has a cost).

Pascal Thivent  2010-03-31 08:16:42
I created a stateful java service but when I use it with asp.net I get the following error: "This is a stateful web service and {http://jax-ws.dev.java.net/xml/ns/}objectId header is required." .. any ideas?
hubertg  2010-03-31 10:41:37
Thanks for the link but honestly - to me this all looks quiet complicated. Do you have an example how to use the Username Token? And especially with a ASP.NET client? I'm really stuck, to me it seems like not many people are using this yet.
hubertg  2010-03-31 14:36:44
A: 

I've thought about trying out Apache Shiro, I can't really say if its any good. Looks good though.

msung  2010-04-11 21:11:58

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?