Simple Webservice Authentication/Authorization not so simple?_问答_开发者

Simple Webservice Authentication/Authorization not so simple?

开发者 https://www.devze.com 2023-03-24 06:42 出处：网络

Some years ago I added a webservice interface to an existing web application that would allow the creation of custom clients to manipulate the data held by the application. The clients were primarily

Some years ago I added a webservice interface to an existing web application that would allow the creation of custom clients to manipulate the data held by the application. The clients were primarily .NET, whereas the web application was Java (hosted in a Tomcat server), and since back then the interoperability between these two platforms was not so great, I created my own little homegrown auth scheme, using a binary security token spliced into the request/response xml by handlers on both sides.

Since then, technology has progressed on both sides (there's the Metro project on the Java side which emphasizes interoperability with the .NET world); unfortunately I've been busy with other projects and haven't kept up with the details as much. But from what I have read about it so 开发者_JS百科far, shouldn't it be possible to do something similar properly using (relatively) new standards like WS-Security, WS-Policy and the likes?

I've been given the chance to update the code from back then, and I would really like to do it "right" this time. Something that bothered me about the old solution was that the presence of the security token was not reflected in the wsdl (anyone implementing a client would have to know about it from some other source, and include some classes provided by me for the handler, the token and some extra lines of code to hook them up to the web service) - something that, as far as I've understood the WS-* specs, should be possible with WS-Policy or WS-SecurityPolicy?

But somehow I have been unable so far to find any resources (examples, tutorials, etc.) online that would explain how one would even begin to go about implementing something like that.

So, given up-to-date technology and standards (like a server using the Metro framework, and a client in .NET 3 or 4 using WCF), would it be possible to create a web service that uses basic user/password authentication to "Log In" (i.e. create some kind of session, or "conversation") to the service, then allows carrying out any operations on the service while the session remains valid, and invalidates the session once the user either explicitly "Logs Out" or a timeout expires?

Using WS-Security with Spring Web Services
Using Apache CXF with WS-Security
And finally with Metro

Haven't used Metro myself, but I can only recommend either SWS or CXF. (However, in my experience WS authentication & authorization is anything but simple)