318

Security for Web Service Interactions

 guest 

...

...

Code Example 7.7

Configuring Identity Selection Policies for Web Components

7.3.3.2

Propagating Identity to a Web Service

Protection domains help to understand how clients set identity for Web service calls.

(See  Protection Domains  on page 300.) Recall that a protection domain estab 

lishes an authentication boundary around a set of entities that are assumed to trust

each other. Entities within this boundary can safely communicate with each other

without authenticating themselves. Authentication is only required when the bound 

ary is crossed. However, Web services are considered outside of any protection

domain. 

E

When calling a Web service, be prepared to satisfy its security requirements. 

Web services are loosely coupled and it is more likely that a call to a service 

will cross protection domains.

Since Web service calls are likely to cross protection domains, identity propa 

gation mechanisms (such as 

run as

 and 

use_caller_identity

) and security

context are not useful and are not propagated to service endpoints. When a J2EE

component acting as a Web service client specifies the 

run as

 identity or the 

use 

caller identity

, the container applies that identity only to the component's

interactions with non Web service components, such as enterprise beans. Some

vendors may provide mechanisms to propagate identity across protection

domains, but these mechanisms may not be portable. 

This brings us to the question of how to establish identity for Web services.

For the client making calls to a service that requires authentication, the client con 

tainer provides the necessary artifacts, whether username and password for basic

authentication or a digital certificate for mutual authentication. The container of