320


Security for Web Service Interactions


7.3.4 Handling Authorization


Web service endpoints can restrict access to resources using the same declarative


authorization mechanisms available to other J2EE components. From a security


point of view, this capability facilitates integrating Web services with J2EE applica 


tions since the standard J2EE authorization mechanisms can be leveraged. When a


Web service is called and the calling client has been authenticated and its identity


established the container has the capability to check that the calling principal is


authorized to access this service endpoint. A Web service is also free to leave its


resources unprotected so that anyone can access its service.


Furthermore, components and resources accessed by the Web service end 


point may have their own access control policies, and these may differ from the


endpoint's policies. The service endpoint's interaction with other components and


resources is handled by the same mechanisms used by any J2EE component. That


is, the authorization mechanisms for Web service endpoints are the same as for


other components in the J2EE platform. 


The tier on which your endpoint resides determines how you specify and con 


figure access control. In general, to enable access control you specify a role and


the resource you want protected. Components in both tiers specify a role in the


same manner, using the 


security role


 element as shown in Code Example 7.8.


With Web tier endpoint components, access control entails specifying a URL


pattern that determines the set of restricted resources. For EJB tier endpoints, you


specify access control at the method level, and you can group together a set of


method names that you want protected. 




customer




Code Example 7.8


Configuring a Role for an Authorization Constraint


What does this mean in terms of a Web service's access control consider 


ations? Your Web service access control policy may influence whether you imple 


ment the service as a Web tier or an EJB tier endpoint. For Web tier components,


the granularity of security is specific to the resource and based on the URL for the


Web resource. For EJB tier components, security granularity is at the method


level, which is typically a finer grained level of control. 








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      
 

    

  

  




Our web partners:
Inexpensive 
Web Hosting 



Java Web Hosting


personal webspace


webspace php 


linux webhost
 




 html web templates




DreamweaverQuality Web Templates


PSD Web Templates
 





cheap webhost


j2ee web Hosting


buy webspace


ftp webspace


adult webspace
 





frontpage WebHosting


webspace hosting


cheap webhost


Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved



aol web hosting