JSTL and authenticated web services

Question

Can I access an authenticated web service using JSTL? (Form-based authentication)

If I can't do it using JSTL, is there any other way I do it from a JSP?

---

Maybe I need to give a little more information. I'm using the core library:

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>

and the import tag, as in:

<c:import var="xml" url="http://my.service.com/api/xml"/&gt;

Where http://my.service.com/api/xml is a web service requiring form-based authentication - if I try to access it in a browser, I'm prompted for a username and password in a web form, not a popup window.

sorry, I'm no web services expert as you can tell - fingers crossed for an easy solution :)

Answer 1

JSTL == JSP Standard Tag Library? If so, I don't see how JSTL and JSP are different.

If you add tokens to HTML or SOAP headers, you're assuming that the web service knows how to get at them and how to consume them. Form-based authentication uses j_username and j_password for the form element parameter names.

I'd say that security should be a cross-cutting concern. A filter or aspect should be able to get those values out of the HTTP headers and authenticate for you.

Answer 2

@Brabster as @duffymo said, jstl has nothing to do with web services authentication.

If you need to avoid display the authentication page inside some JSP, maybe you can get around with a custom tag which will deal with authentication. How would you authenticate to your web service in a simple console program with a main method? If you know how to do it, integrating that code in a custom tag is easy.

Answer 3

Here's an open source library, http://spnego.sourceforge.net/protected_soap_service.html, that has an example on connecting to a web service that is protected via integrated windows authentication.

The library is implemented as a servlet filter.