What is the best prctice for using security in JAX-WS

Question

Here is scenario : I have some web services (JAX-WS) that need to be secured. Currently for authentication needs I providing addition SecurityWService that give authorized user some userid & sessionid that is need to be described in request to other services.

It would be more better to use some java security. We have many of them but could not defined what is better to use.

Q1 : It is understand that I should use SSL in transport layer, but what should I use for user authorization. Is there is better way to establishing session, validating user etc. ?

Here is some key description :

1. Most web services clents is php based.
2. I am using jax-ws implementation as a Stateless session EJB.
3. Deploying to glassfish v3.

Q2: what is the best framework / technology for user authorization / authentication in case of using JSF 2.0 and ejb3.1 technologies ( Realms? WSIT? )?

Thank You!

Answer 1

One thing is cretin, you must use https. SSL is the glue to keep a secure connection between these components.

If there are services that are spread between different domains/servers and you require a web browser/clients to maintain state across all of these systems then oAuth is a good solution. There is a Java and PHP oAuth implantation on that site. oAuth is flexible and fills a lot of needs.

A more simplistic approach is to use http "basic auth" with a access control list backed by a sql database. Session state could be stored in the database or in a Session Bean and accessed by your custom web service. This is more commonly implemented than oAuth.