- If the web service is implemented as a Java Bean and hosted in a Web container, then the security model is based on the JEE servlet/JSP security model. The JEE role based authorization check is URL based.
Underneath the covers, the Web container intercepts the HTTP request, authenticates the identity from the HTTP transport and performs the authorization check. The message level security is not processed yet, as the Web container does not understand or process the SOAP message.
The transport level identity is used in this case for roles defined in the JEE deployment descriptors.
But if you are using the programming API (e.g. WebServiceContext.isUserInRole) to performs authorization checks in JAX-RPC/ JAX-WS application handlers or web services provider implementation, then it could be either the transport level identity or message security identity. But the message level identity always overrides the transport level identity in security context since message level security is processed after transport level security.
- If the web service is implemented as stateless EJB, then the identity could be either the transport level identity or message security identity. The message level identity always overrides the transport level identity in the security context since message level security is processed after transport level security. This applies to both roles defined in the JEE deployment descriptors and programmatic APIs authorization check.
The reason is that the web service EJB is leveraging the Web container to handle the HTTP protocol. In this case, the authorization is done by the Web container (Router Servlet) and the EJB container. The identity in message level security in the SOAP message is processed and set in the security context before calling the EJB container. Therefore, either HTTP transport level identity or message level security identity could be used.
In this scenario, you can use JEE role based method level authorization to protect the web services.
Friday, November 20, 2009
Which Identity is used for Authorization
In one of my recent discussions, I came across a question on which identity is used for authorization checks in WebSphere for SOAP over HTTP web services. For the background of web services authorization in a JEE server, please read our previous blog entry (Web Services and Authorization).
Is it the transport level identity or instead the message level identity (assuming the identity is propagated using WS-Security)? The answer is it depends.
I hope this helps to clarify which identity is used for web service authorization check.