Pass authentication info between web service and business layer (Spring, tomcat)

Question

I have spring web service and a business layer deployed separately on two tomcat servers. (As explained in the question Spring WS separately deploy web service and bussiness layer).

Business layer is just a servlet container and web service communicate with it spring httpinvoker.

I use tomcat container based authentication with springs PreAuthenticatedAuthenticationProvider and J2eePreAuthenticatedProcessingFilter. Here I does not provide client application with any authentication token. (I mean I am not manually doing any session handling. It is managed only by tomcat)

Now I want to make sure requests to my business layers are from a authenticated client. One thing I found is to pass the Authentication object which I get from the web service's security context as SecurityContextHolder.getContext().getAuthentication() as request parameter to the business layer. But there I do not have a way to verify that Authentication object. So any idea on a way to achieve security in my business layer?

Answer 1

The httpinvoker way of remoting uses a http client, by default it wil use a plain HttpURLConnection from the JDK. Which way of connecting is used is determined by the imlementation of HttpInvokerRequestExecutor which by default is the SimpleHttpInvokerRequestExecutor.

Now you could switch to use one of the other implementations which use Apache Commons HttpClient under the hood. You could then use BASIC authentication (or digest) to pass the username/password to the service layer (instead of the Authentication object.

Spring Security already supplies this custom implementation for you, so basically the only thing you need to do (client side) is to reconfigure your HttpInvokerProxyFactoryBean.

<bean id="yourServiceProxy" class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean">
    <property name="httpInvokerRequestExecutor" ref="requestExecutor" />
</bean>

<bean id="requestExecutor" class="org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor"/>

See also the javadoc and the Spring Security Reference Guide. This class can be found in the spring-security-remoting dependency. Next to this dependency you need to configure your business layer to use basic authentication.