5 Replies Latest reply on Nov 3, 2010 10:04 AM by imitchell

    WS Security Basics

    imitchell

      Hello,

       

      I'm just getting into JBoss WS security (and security in general for that matter) and I have some basic questions to get me going in the right direction.  The questions are not so much about configuration but more about client/server interaction.

       

      When a client invokes a WS method, how do the user credentials get passed along with the method request? 

       

      I have not seen that specified in WSDLs so is that some SOAP magic between the client/server?

       

      The credentials would have to be sent with each ensuing WS method call as well, correct?

       

      I know this is basic stuff but I just need a mental shove here.

       

      Thanks.

        • 1. Re: WS Security Basics
          simonpl

          Security in WS is pretty broad topic(e.g. one way of securing web service is setting it on SSL) - I'm also not an expert but I've got a bit of experience with it. There is someting "WS-Security" and it is a standard established by OASIS(wiki will tell you more about it). On the other hand, you can design security on your own. Considering your question:

          When a client invokes a WS method, how do the user credentials get passed along with the method request?

          Usually this kind of data is passed in header part of soap message - exact way in which you attach username and password depends on client technology you're using(Jbossws, Axis2 etc.)

          I have not seen that specified in WSDLs so is that some SOAP magic between the client/server?

          I'm not sure what kind of magic you've got in mind - if you're using WS-Security standard then WS-Policy contains info about it(WS-Policy - another standard - is a document that contains additional settings for certain web service - it can be attached to wsdl or referenced by it)

          The credentials would have to be sent with each ensuing WS method call as well, correct?

          It can be solved like that but I've seen situations where client was receiving token after first call and later only token was attached to soap(it was valid for one session)

           

          Hope that helps

          1 of 1 people found this helpful
          • 2. Re: WS Security Basics
            imitchell

            The token passing may be the "magic" I'm thinking about.  Do you happen to know if that is taken care of under the hood, once configured?  In other words, if we configure the service/methods to use a token, is  there any suppoting code that would need to be developed by the client and/or server or is this taken care of in the WS layer that sits on top of the code.

             

            Thanks (and sorry for proving that "no good deed goes unpunished"!)

            • 3. Re: WS Security Basics
              simonpl

              I have never used it directly(ws-security) however jboss seems to be supporting most of the oasis standards. I guess that after configuration of ws-security(authentication, authorization, token etc. - in jboss there are special files for that, both on server and client side) client is just passing user credentials in the beggining, after that security is handled by the server/client(it fills soap message with right header parts).

              • 4. Re: WS Security Basics
                laures

                Maybe this http://community.jboss.org/message/552851 will help you. Securing webservices with jaas is quite simple. I never tried the security token though.

                • 5. Re: WS Security Basics
                  imitchell

                  Thanks for the scoop folks!

                   

                  So if i had multiple web services deployed to a single JBoss AS then could a user use any of the web methods of any of those web services with a single logon.  In other words, does JBoss maintain "security sessions" accross web services.  Is this the purpose of Security Domains?

                   

                  Thanks again