Here is the scenario: I have some web services (JAX-WS) that need to be protected. Currently, for authentication, I am providing the SecurityWService add-on, which gives the authorized user some user ID and sessionid, which should be described in the request to other services.
It would be better to use some Java protection. We have a lot of them, but they could not determine what is better to use.
Q1: It is clear that I should use SSL in the transport layer, but that I should use to authorize the user. Is there a better way to create a session, validate a user, etc.?
Here are a few key descriptions:
- Most clents web services are php based.
- I am using jax-ws implementation as stateless EJB session.
- Deployment to Glassfish v3.
Q2: what is the best structure / technology for authorization / user authentication when using JSF 2.0 and ejb3.1 technologies (Realms? WSIT?)?
Thank!
source
share