Web Services security - Weblogic

This is a discussion on Web Services security - Weblogic ; Today my question is about security of Web Services. Specifically I am investigating an authentication path where a user logins into an external enterprise security system (other than Weblogic Server). The user is a person using the Web service applications. ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Web Services security

  1. Web Services security


    Today my question is about security of Web
    Services.
    Specifically I am investigating an authentication
    path where a user logins into
    an external enterprise security system (other than
    Weblogic Server).
    The user is a person using the Web service
    applications.
    As a result of a successful login process, a
    "token" is obtained as an identity of the user.
    Now the Web Service application needs to pass the
    "token" to the Weblogic Web Service server side.
    Once the "token" is received, a Identity Assertion
    provider (plugged into Weblogic Security
    Framework)
    will map it to a proper weblogic user(principal).
    The Web Service request will be executed
    using this valid user.

    With the above sequence, a single sign on will be
    achieved.
    This means the end user logins to a third party
    security system and uses the token returned
    to access to Web Services and the underlying EJB
    layers without re-authenticating.

    thanks
    Kelly

  2. Re: Web Services security


    "kpeng" wrote:
    >
    >Today my question is about security of Web
    >Services.
    >Specifically I am investigating an authentication
    >path where a user logins into
    >an external enterprise security system (other than
    >Weblogic Server).
    >The user is a person using the Web service
    >applications.
    >As a result of a successful login process, a
    >"token" is obtained as an identity of the user.
    >Now the Web Service application needs to pass the
    >"token" to the Weblogic Web Service server side.
    >Once the "token" is received, a Identity Assertion
    >provider (plugged into Weblogic Security
    >Framework)
    >will map it to a proper weblogic user(principal).
    >The Web Service request will be executed
    >using this valid user.
    >
    >With the above sequence, a single sign on will be
    >achieved.
    >This means the end user logins to a third party
    >security system and uses the token returned
    >to access to Web Services and the underlying EJB
    >layers without re-authenticating.
    >
    >thanks
    >Kelly


    My question is how the Web Services application passes the "token" to the Web
    Services server
    side.

  3. Re: Web Services security

    Check this out
    http://www.netegrity.com/products/pr...e=TMhowitworks
    the web service server has to have some sort of plugin/filter which will
    request for such tokens

    "kpeng" wrote in message
    news:3f957cbe$1@newsgroups.bea.com...
    >
    > "kpeng" wrote:
    > >
    > >Today my question is about security of Web
    > >Services.
    > >Specifically I am investigating an authentication
    > >path where a user logins into
    > >an external enterprise security system (other than
    > >Weblogic Server).
    > >The user is a person using the Web service
    > >applications.
    > >As a result of a successful login process, a
    > >"token" is obtained as an identity of the user.
    > >Now the Web Service application needs to pass the
    > >"token" to the Weblogic Web Service server side.
    > >Once the "token" is received, a Identity Assertion
    > >provider (plugged into Weblogic Security
    > >Framework)
    > >will map it to a proper weblogic user(principal).
    > >The Web Service request will be executed
    > >using this valid user.
    > >
    > >With the above sequence, a single sign on will be
    > >achieved.
    > >This means the end user logins to a third party
    > >security system and uses the token returned
    > >to access to Web Services and the underlying EJB
    > >layers without re-authenticating.
    > >
    > >thanks
    > >Kelly

    >
    > My question is how the Web Services application passes the "token" to the

    Web
    > Services server
    > side.




  4. Re: Web Services security


    SAML (Security Assertion Markup Language) is a spec that deals with exactly this
    kind of scenarios. Netegrity and IBM have implementations of SAML (although they
    need to be baked a little). BEA's new Security product -WLES - announced about
    a week ago - also supports SAML.

    -Anant


    "Leonard" wrote:
    >Check this out
    >http://www.netegrity.com/products/pr...e=TMhowitworks
    >the web service server has to have some sort of plugin/filter which will
    >request for such tokens
    >
    >"kpeng" wrote in message
    >news:3f957cbe$1@newsgroups.bea.com...
    >>
    >> "kpeng" wrote:
    >> >
    >> >Today my question is about security of Web
    >> >Services.
    >> >Specifically I am investigating an authentication
    >> >path where a user logins into
    >> >an external enterprise security system (other than
    >> >Weblogic Server).
    >> >The user is a person using the Web service
    >> >applications.
    >> >As a result of a successful login process, a
    >> >"token" is obtained as an identity of the user.
    >> >Now the Web Service application needs to pass the
    >> >"token" to the Weblogic Web Service server side.
    >> >Once the "token" is received, a Identity Assertion
    >> >provider (plugged into Weblogic Security
    >> >Framework)
    >> >will map it to a proper weblogic user(principal).
    >> >The Web Service request will be executed
    >> >using this valid user.
    >> >
    >> >With the above sequence, a single sign on will be
    >> >achieved.
    >> >This means the end user logins to a third party
    >> >security system and uses the token returned
    >> >to access to Web Services and the underlying EJB
    >> >layers without re-authenticating.
    >> >
    >> >thanks
    >> >Kelly

    >>
    >> My question is how the Web Services application passes the "token"

    >to the
    >Web
    >> Services server
    >> side.

    >
    >



  5. Re: Web Services security


    "kpeng" wrote in message
    news:3f957b3e@newsgroups.bea.com...
    >
    > Today my question is about security of Web
    > Services.
    > Specifically I am investigating an authentication
    > path where a user logins into
    > an external enterprise security system (other than
    > Weblogic Server).
    > The user is a person using the Web service
    > applications.
    > As a result of a successful login process, a
    > "token" is obtained as an identity of the user.
    > Now the Web Service application needs to pass the
    > "token" to the Weblogic Web Service server side.
    > Once the "token" is received, a Identity Assertion
    > provider (plugged into Weblogic Security
    > Framework)
    > will map it to a proper weblogic user(principal).
    > The Web Service request will be executed
    > using this valid user.
    >
    > With the above sequence, a single sign on will be
    > achieved.
    > This means the end user logins to a third party
    > security system and uses the token returned
    > to access to Web Services and the underlying EJB
    > layers without re-authenticating.
    >


    I don't think that 8.1 webservices allows you to use a different type of
    authentication token
    other than username/password or certificates. Allowing a extensible token is
    on the list for
    a future version. SAML support is also on the list.






  6. Re: Web Services security

    Peter,
    Would you consider an Identity Managment system that allows you to
    pass the ticket affter secure authenticaiton (e.g. certificate,
    biometric, token, samrtcard, any combo?)

    Al

    "Peter" wrote in message news:<3f9c6db2$1@newsgroups.bea.com>...
    > "kpeng" wrote in message
    > news:3f957b3e@newsgroups.bea.com...
    > >
    > > Today my question is about security of Web
    > > Services.
    > > Specifically I am investigating an authentication
    > > path where a user logins into
    > > an external enterprise security system (other than
    > > Weblogic Server).
    > > The user is a person using the Web service
    > > applications.
    > > As a result of a successful login process, a
    > > "token" is obtained as an identity of the user.
    > > Now the Web Service application needs to pass the
    > > "token" to the Weblogic Web Service server side.
    > > Once the "token" is received, a Identity Assertion
    > > provider (plugged into Weblogic Security
    > > Framework)
    > > will map it to a proper weblogic user(principal).
    > > The Web Service request will be executed
    > > using this valid user.
    > >
    > > With the above sequence, a single sign on will be
    > > achieved.
    > > This means the end user logins to a third party
    > > security system and uses the token returned
    > > to access to Web Services and the underlying EJB
    > > layers without re-authenticating.
    > >

    >
    > I don't think that 8.1 webservices allows you to use a different type of
    > authentication token
    > other than username/password or certificates. Allowing a extensible token is
    > on the list for
    > a future version. SAML support is also on the list.


+ Reply to Thread