5 Replies Latest reply: Nov 3, 2010 10:04 AM by Ian Mitchell RSS

WS Security Basics

Ian Mitchell Newbie

Hello,

 

I'm just getting into JBoss WS security (and security in general for that matter) and I have some basic questions to get me going in the right direction.  The questions are not so much about configuration but more about client/server interaction.

 

When a client invokes a WS method, how do the user credentials get passed along with the method request? 

 

I have not seen that specified in WSDLs so is that some SOAP magic between the client/server?

 

The credentials would have to be sent with each ensuing WS method call as well, correct?

 

I know this is basic stuff but I just need a mental shove here.

 

Thanks.

  • 1. Re: WS Security Basics
    simon bohdanowicz Newbie

    Security in WS is pretty broad topic(e.g. one way of securing web service is setting it on SSL) - I'm also not an expert but I've got a bit of experience with it. There is someting "WS-Security" and it is a standard established by OASIS(wiki will tell you more about it). On the other hand, you can design security on your own. Considering your question:

    When a client invokes a WS method, how do the user credentials get passed along with the method request?

    Usually this kind of data is passed in header part of soap message - exact way in which you attach username and password depends on client technology you're using(Jbossws, Axis2 etc.)

    I have not seen that specified in WSDLs so is that some SOAP magic between the client/server?

    I'm not sure what kind of magic you've got in mind - if you're using WS-Security standard then WS-Policy contains info about it(WS-Policy - another standard - is a document that contains additional settings for certain web service - it can be attached to wsdl or referenced by it)

    The credentials would have to be sent with each ensuing WS method call as well, correct?

    It can be solved like that but I've seen situations where client was receiving token after first call and later only token was attached to soap(it was valid for one session)

     

    Hope that helps

  • 2. Re: WS Security Basics
    Ian Mitchell Newbie

    The token passing may be the "magic" I'm thinking about.  Do you happen to know if that is taken care of under the hood, once configured?  In other words, if we configure the service/methods to use a token, is  there any suppoting code that would need to be developed by the client and/or server or is this taken care of in the WS layer that sits on top of the code.

     

    Thanks (and sorry for proving that "no good deed goes unpunished"!)

  • 3. Re: WS Security Basics
    simon bohdanowicz Newbie

    I have never used it directly(ws-security) however jboss seems to be supporting most of the oasis standards. I guess that after configuration of ws-security(authentication, authorization, token etc. - in jboss there are special files for that, both on server and client side) client is just passing user credentials in the beggining, after that security is handled by the server/client(it fills soap message with right header parts).

  • 4. Re: WS Security Basics
    laures Newbie

    Maybe this http://community.jboss.org/message/552851 will help you. Securing webservices with jaas is quite simple. I never tried the security token though.

  • 5. Re: WS Security Basics
    Ian Mitchell Newbie

    Thanks for the scoop folks!

     

    So if i had multiple web services deployed to a single JBoss AS then could a user use any of the web methods of any of those web services with a single logon.  In other words, does JBoss maintain "security sessions" accross web services.  Is this the purpose of Security Domains?

     

    Thanks again