SOA services authentication/authorization

As we are moving in the direction of SOA a topic that has come up is how to have each of the services authenticate and authorize a service request.

I saw the following question posted a while back and was wondering if there is any more to it then that.

I am currently in the pr开发者_如何转开发ocess of creating a Security Service which has the responsibility to handle the Authentication and Authorization of a user coming to the application.

To address the issue of the services asking for verification I was thinking of going down the road of adding an operation to this service such that other services can verify a security token that will be provided in the messages. I was also looking at using Apache WSS4J to help with the token.

Thoughts - we currently do not have BPEL in our sights at this point so can I still make use of WSS4J?

---

Yes - you can use WSS4J - but in SOA the concept of authentication and authorization goes beyond from what wss4j. You will see that Apache Axis2 and CXF have wrappers developed around wss4j to support web services security standards like, WS-SecurityPolicy, WS-Trust...

Also - when it comes to authorization the de facto standard is XACML. XACML brings a policy based, fine-grained authorization model for your SOA deployment.

WSO2 Identity Server is an open source product which has support for all these functionalities..

[Disclaimer : I am an architect at WSO2]

---

It really depends on what webservice framework you are intending to deploy to.

Most webservice frameworks already have an authentication and authorization service of some sort or other at the basic username token level, or providing saml support with back-end database, ldap, or xml config file definitions. Apache CXF, JBoss, Oracle SOA, WebSphere, Tomcat, etc.

You should investigate whether the default capabilities arlready give you what you are trying to achieve.