3 Replies Latest reply on Feb 1, 2005 12:04 PM by forkbomb

Authenticating Webservice as Web Session

rtomlinson Jan 31, 2005 10:14 AM

I want to launch a client app from a web page such that it will access web services with the same authentication as existed for the web page. In JBoss 3.2.3, I could do this by passing the session id to the app so it could add the jsessionid cookie to the http headers.

This technique doesn't seem to work (or I don't know how to configure my application so it does work). Is this approach possible? If so, how? If not, is there a reasonable alternative?

The goal is be able to seamlessly invoke applications that use access-controlled web services on the client from a servlet created web page of a logged-in user.

1. Re: Authenticating Webservice as Web Session

thomas.diesler Feb 1, 2005 6:46 AM (in response to rtomlinson)

WS4EE service endpoints are fundamentally stateless, so passing in a session id does not make sense.

Authenticating against an endpoint is described here:

http://www.jboss.org/wiki/Wiki.jsp?page=WSSecureEndpoint
Actions
2. Re: Authenticating Webservice as Web Session

rtomlinson Feb 1, 2005 8:18 AM (in response to rtomlinson)

True, it makes no sense for a j2ee session, but the session I am trying to maintain is a web (tomcat) session. The web session makes sense for authentication else every page would require typing in your name and password
Actions
3. Re: Authenticating Webservice as Web Session

forkbomb Feb 1, 2005 12:04 PM (in response to rtomlinson)

Instead of passing the session ID, you can configure the security domain to have the same user names and passwords as your web users, configure your web services to use basic auth, then pass the username and password as the HTTP headers. The wiki link that Thomas posted above explains it all. The trick is just to make sure that the usernames/passwords in your web tier match up with the usernames/passwords in your EJB tier.
Actions

Go to original post