I am developing a web service using the Spring framework for Java and deploying to JBoss AS. This web service needs authentication and permission and a security solution so that some user method A can execute, and another user B can execute. On the client side there will be an application that calls the web service, and people can log in using either user account A or B.
I dug up the Internet, searched for web service authentication, explored WS-Security, but everything I see uses WS-Security. WS-Security usually provides 4 types of authentication:
- UsernameToken
- X.509 Token
- SAML Current
- Kerberos Toner
But all of these things are usually preconfigured, and I don't see examples that suggest that I should provide login / logout methods for the web service (using stateful web service). Please note that if you use login methods, there are security risks, even if the underlying SSL transport.
So my question is:
- What should I do to satisfy my requirements?
- If you use a UsernameToken or Kerberos Token ... and provide some privileges for each user, that is, for each incoming request, we must get information about the user and get all his privileges. This process seems to take time and reduce system performance. Do you agree? So I think this is not recommended?
I would thank you for any answer and would vote for any reasonable answer.
source share