How to secure Java webservices with login and session handling
-
23-09-2019 - |
Question
I'd like to secure my (Java metro) webservice with a login.
Here's how I'm planning to do that:
Steps required when calling a webservice method are:
- call login(user,pwd), receive a session token 1.1 remember the token
- call servicemethod (token, arg1, arg2...)
- webservice checks if the token is known, if not throw exception otherwise proceed
- logout or timeout after x time periods of inactivity
my questions: 1. what's your opinion on this approach? does it make sense? 2. are there any libraries which take the burden of writing a session handling (maybe with database persistence to survive app restarts)
(the solution should be simple and easily usable with Java and .NET clients)
thanks!
Solution
This is feasible and I've seen web services using a similar approach. But I wouldn't implement my own custom solution. Instead, I would use a Security Token from the WS-Security specification and, more precisely a Username Token (you get this from WSIT which is part of Metro and is thus interoperable with .NET clients). Have a look at this article for an introduction.
Update: More pointers:
Implementing the WS-Security UsernameToken Profile for Metro-based web services- What's New in Web Services Enhancements (WSE) 3.0
- WebService Authentication with UsernameToken in WSE 3.0
- Implementing Direct Authentication with UsernameToken in WSE 3.0
I can't say that I found WS-Security very friendly but, still, my experience is that using WS-Security takes less time than implementing a custom solution, is more secure and scales better (checking the database at each call has a cost).
Edit:
Corrected the first two links, because they were dead. Couldn't find one for the third but I think the second should cover that.
OTHER TIPS
Don't immediately jump into implementing this yourself from the ground up. Many J2EE containers / Java frameworks offer support for login / access control. Take a look at the documentation for the framework you are currently using.
Another simple alternative is to implement access control in a front-end webserver; e.g. Apache HTTPD acting as a reverse proxy for Tomcat.
I've thought about trying out Apache Shiro, I can't really say if its any good. Looks good though.