I need to build some web services in a WebLogic application server. This server lies between a mobile app and Oracle ERP. Basically, after the mobile app "login" to the Oracle ERP via a web service call on the application server, a session should be maintained on the application server. One reason is this:
Every time a web service is called by the mobile app, it needs to return a random challenge token. This is a requirement by our internal security. Within the same session, when the same mobile app calls the same web service (or a different web service) on the application server, it needs to pass the challenge token that it received previously. The application server will then have to check that the token is the same one that it returned previously to the mobile client.
We have discussed about using JAX-RS for communication between mobile app and the web services. However, I have read that JAX-RS is supposed to be stateless. In this case, how can I maintain a session such that the application knows the challenge token that it returned to a client previously? There is no database for the application by the way. Normally for a web application, it can just save the challenge token to a session object, but how do you do so for a web service?
If JAX-RS cannot maintain session, then what about JAX-WS?
Thanks.
Related
I have a web reporting tool lets say Business Objects, Cognos, OBIEE, Crystal Reports. I want to display some data into the report which is coming from a Web Service. So i copy paste the Web service URL inside the report cell and i can access the data.
However this leaves a big security issue as i cannot authenticate the requestor. One thing which i can think of is checking the Http header request: referer property which is set by the reporting tool in my Web Service. This atleast ensures that the request has originated from my Reporting Application. Besides this i cannot see how i can authenticate a specific user.
Appending Username in the Web Service URL is also not an option because one report is used by many users. I would somehow want to access this specific user session and associate the web service request with this user session. Lets say both my Web Reporting tool and web service are running on the same Web Application Server. Is it possible to merge the Web Service Provider and my Reporting Application so that the session user name is available in the WebService ?
To casify web service I am planning to follow the following:
I have a application that requests for a web service, the web service will only server the client if the application passes a valid ticket string.
The Java application sends a username/password combination to the CAS server using restful API.
The CAS server replies with a ticket on successful authentication.
The application sends the ticket my web service and ask for some data for some data.
The web service receives the ticket and sends the ticket to the CAS server to validate it.
If the CAS server returns a username/ or any kind of message that confirms the validity of the ticket, the web service replies back to the application a response to fulfill the application request.
The CAS server is returning the ticket to the application,the application posts the ticket string to web service, the web server accepts the ticket string. Now how do I send the ticket to CAS server for validation? Any ideas? Also is there any better way to casify the Web service?
I tried to draw what I want to archive:
Since this is a java based application you can use the filters that are available with CAS to do the validation & authentication.
I'm working on an iPhone app that uses xAuth to login to Twitter. The app also communicates with my own web service. Rather than maintain a user model inside the web service, I'd like to just allow anyone who's already authenticated via Twitter to make requests.
The high-level use case is this: the user logs into and interacts with Twitter through the app. They can also interact with my web service through the app. The web service itself never interacts with Twitter. Instead of maintaining a separate authentication system on my side, I'd like the server to say "OK, if Twitter says you're #joshfrench then you can have access."
I'm not sure how I should validate requests on the server side, though. How would I pass some proof of authentication from the mobile client to my web service? Can I send along the existing Twitter token and verify it from the server? Or somehow sign the request with my Twitter app's credentials? Is this even a valid use of OAuth?
If you store your twitter app key and secret on both he iphone app and your server, and then somehow transmit the user's oauth token (also called "access token") key/secret from the iphone app to the server, then you can do the same type of api calls from the server.
consumer = OAuth::Consumer.new(app_key, app_secret, …)
access_token = OAuth::AccessToken.new(consumer, user_key, user_secret)
response = access_token.get('/stuff.xml')
So, is it Okay to transmit that info from the app to the server? If you do it securely, and it's within the user's expectation for how the app behaves, then it's a perfectly fine use of oauth.
It's possible that it's not allowed by Twitter's terms of service -- I could imagine there being something that says you can't transfer a user's access secret across the network, or some such thing. (total wild speculation, I don't think it's particularly likely that that's the case)
i'm developping a mobile application in Android and blackberry, I want that Users can connect from their Smartphones to Webservice witch will verify their login and password in an Oracle Database, I should maintain connection between Client and server within Sessions.
my webservice should be under apache Tomcat using Axis2.
how can I implement this Session via Soap Messages ???
Thanks in advance :)
its best if you could get this without having to maintain sessions. if maintaining session is a must, you'll have to pass authentication details with each soap request along with a token or a session status object where at each end you'll be manually updating with status.
In a web application, we have session to store the authentication. But let say I am developing a native application with web service, for example, the Facebook app. How can I check the session in the native app? Thank you.
The way i know this can be done. Is by getting a hash key from the server once you are authenticated in the service. Then you can send back the key form the client each time you need to invoque a method during the session. That key will be invalidated by the server when session is expired or when you log out.