0 Replies Latest reply on May 26, 2011 1:52 PM by Frank Bitzer

    Best practice - User authentication

    Frank Bitzer Newbie

      Hi there,


      we have some stateless session beans that expose their methods via SOAP web service. E.g.



      public void doSomething(long userId) {...}



      As you can see, this method requests a User Id to be passed so that it knows on what user it should act.


      Therefore, the User Id is contained in the body of the SOAP requests made to this webmethod.


      However, the SOAP requests for our web service also contain WS-Security headers (UsernameToken) so that each user filing a request must authenticate him/herself first. That is, the "username" is the User Id and the "password" is the password of the user.


      On the technical side, I use an interceptor (inherited from AbstractSoapInterceptor) that verifies the user on each incoming request. If the credentials do not match, the request is rejected by throwing a fault in the handleMessage method of the interceptor. If the credentials match, the interceptor does just nothing, so the call is processed as usual.


      My problem is: as you can see, the User Id information is already passed in the SOAP header, so there is no need to repeat it in the body. Actually, it is even absolutely dangerous to repeat it in the body because this way someone can use his/her correct credentials in the header but put another User Id in the body. This way, he/her is able to execute the function as another user than him/herself!



      So I wonder about any best practices in this scenario? Is there any way to pass the information from the SOAP header to the function?