JSP and Web Service Authentication Sharing


XML & Web services: JSP and Web Service Authentication Sharing

  1. JSP and Web Service Authentication Sharing (3 messages)

    We have a web service that we would like to access from a JSP. The web applications that the JSP and web service reside in both use basic authentication backed by an LDAP security realm. The JSP is using JAX-RPC to connect to the web service. We're wondering if there is a way to connect to the web service without having to reauthenticate. If there is a way to do this, how would the "Call" object be set up in the JSP (the client is dynamic)?
  2. Unfortunately, it is the JSP calling the web service, not the original client (the browser). Therefore, the browser credentials will not automatically propogate. Furthermore, althought the JSP can retrieve the user name [request.getRemoteUser()], it cannot retrieve the password.

    You might be able to manage this by using some proprietary feature of your server, if the JSP engine and JAX-RPC engine are integrated, but I don't know of any server's that support this.
  3. Well, if the web service implementation is also in Java you SHOULD be using EJBs instead. Using web services just adds another layer without bringing any benefit at all. It's pointless.

    But if there are indeed other factors that make web services a reasonable option, you must establish some kind of "trust relationship" between the JSP server and the Web service server (this way you only need to "pass" the username, not the password). I have done it once in WebSphere, but each server has its own way for doing such a thing.

    Perhaps you could describe the topology of your application, also mentioning wich platform(s) are you using.
  4. One other alternative (and this may add extra overhead) may be to use some kind of proxy in the middle - quite a few vendors now provide WSM (Web Services Management) solutions that provide authentication/authorization solution.