312

Security for Web Service Interactions

For a Web service with an EJB endpoint, you use the application server 

specific mechanisms to require basic authentication. Often, each application

server's deployment descriptor includes an element for authentication for an EJB

service endpoint that is analogous to the 

web.xml

auth method

 element.

A Web service may also require hybrid authentication, which is when a client

authenticates with basic authentication and SSL is the transport. The client

authenticates with a username and password, the server authenticates with its

digital certificate, and all of this occurs over a HTTPS connection. Hybrid authen 

tication compensates for HTTP basic authentication's inability to protect pass 

words for confidentiality. This vulnerability can be overcome by running the

authentication protocols over an SSL protected session, essentially creating a

hybrid authentication mechanism. The SSL protected session ensures confidenti 

ality for all message content, including the client authenticators, such as username

and password.

Enabling hybrid authentication for a Web service endpoint generally requires

two operations (both previously discussed): setting the transport to use the confi 

dentiality mechanism of HTTPS and setting the authentication of the client to use

basic authentication. For EJB endpoints, you use application server specific

mechanisms. For Web endpoints, you set deployment descriptor elements. Code

Example 7.4 demonstrates how to configure hybrid authentication by combining

the deployment descriptor choices for basic authentication and confidential trans 

port.

...

CONFIDENTIAL

...

BASIC

some_realm_name

...

Code Example 7.4

Requiring SSL Hybrid Authentication for Web Tier Endpoints