在JAX-WS中使用安全性的最佳实践是什么 [英] What is the best prctice for using security in JAX-WS

问题描述

这里是场景：
我有一些需要保护的Web服务（JAX-WS）。
目前，出于身份验证的需要，我提供了附加的SecurityWService，可为授权用户提供一些用户ID和&在请求其他服务时需要描述的sessionid。

使用某些Java安全性会更好。 Q1：据了解，我应该在传输层中使用SSL，但是我应该将其用于什么呢？用户授权。有没有更好的方法来建立会话，验证用户等？

以下是一些关键说明：

1. 大多数Web服务客户都基于php。


2. 我正在将jax-ws实现用作无状态会话EJB。


3. 部署到glassfish v3。

第二季度：什么是用于用户授权/身份验证的最佳框架/技术？使用JSF 2.0和ejb3.1技术（领域？WSIT？）的案例？

谢谢！

解决方案

肯定是一件事，您必须使用HTTPS。 SSL是保持这些组件之间安全连接的粘合剂。

如果某些服务分散在不同的域/服务器之间，并且您需要Web浏览器/客户端进行维护在所有这些系统上声明状态，那么 oAuth 是一个很好的解决方案。该站点上有Java和PHP oAuth植入。 oAuth非常灵活，可以满足很多需求。

一种更简单的方法是将 HTTP基本身份验证与由SQL数据库支持的访问控制列表一起使用。会话状态可以存储在数据库或会话Bean中，并由您的自定义Web服务访问。比oAuth更常用。

Here is scenario : I have some web services (JAX-WS) that need to be secured. Currently for authentication needs I providing addition SecurityWService that give authorized user some userid & sessionid that is need to be described in request to other services.

It would be more better to use some java security. We have many of them but could not defined what is better to use.

Q1 : It is understand that I should use SSL in transport layer, but what should I use for user authorization. Is there is better way to establishing session, validating user etc. ?

Here is some key description :

1. Most web services clents is php based.
2. I am using jax-ws implementation as a Stateless session EJB.
3. Deploying to glassfish v3.

Q2: what is the best framework / technology for user authorization / authentication in case of using JSF 2.0 and ejb3.1 technologies ( Realms? WSIT? )?

Thank You!

解决方案

One thing is certain, you must use HTTPS. SSL is the glue to keep a secure connection between these components.

If there are services that are spread between different domains/servers and you require a web browser/clients to maintain state across all of these systems then oAuth is a good solution. There is a Java and PHP oAuth implantation on that site. oAuth is flexible and fills a lot of needs.

A more simplistic approach is to use HTTP basic authentication with an access control list backed by an SQL database. Session state could be stored in the database or in a Session Bean and accessed by your custom web service. This is more commonly implemented than oAuth.

这篇关于在JAX-WS中使用安全性的最佳实践是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！