Advice? SSO in N-tiered SOA with mixture of REST and SOAP services

Posted by Tyler on Stack Overflow See other posts from Stack Overflow or by Tyler
Published on 2010-04-05T17:17:49Z Indexed on 2010/04/05 17:23 UTC
Read the original article Hit count: 684

Filed under:

n-tier

|

sso

|

rest

|

security

|

authentication

Hi gang,

We are moving to SSO in our N-tiered SOA applications. If all the services were SOAP, I'd be ok with just the WS-Security, WS-Trust, WS-Federation set of protocols. My problem is that many of the services are RESTful (ironic) and those protocols do not address REST services.

What is your advice for SSO protecting the REST services in an N-tiered SOA architecture with the following requirements:

ideally claims-based identity information available to the REST services
original user (eg. bootstrap) information must flow through the tiers so that each service can "ActAs" or "OnBehalfOf" the user
support sequences like:
- WebApp --> REST Svc --> SOAP Svc
- WebApp --> REST Svc1 --> REST Svc2
- WebApp --> SOAP Svc --> REST Svc
- WebApp --> SOAP Svc1 --> SOAP Svc2
support SSO (and SSOff)
service/web app platforms:
- ASP.Net and WCF
- Java
end-user client platforms:
- .Net (WSE 3.0 and WCF)
- flash 10
- java
- javascript and AJAX

Normally I'm good at climbing / bashing my way through walls, but this one's knocked me flat. Hopefully with your help, we can get over this one.

Thanks,

Tyler

© Stack Overflow or respective owner

Related posts about n-tier

The Interaction between Three-Tier Client/Server Model and Three-Tier Application Architecture Model

as seen on DotNetBlocks - Search for 'DotNetBlocks'
The three-tier client/server model is a network architectural approach currently used in modern networking. This approach divides a network in to three distinct components. Three-Tier Client/Server Model Components Client Component Server Component Database Component The Client Component… >>> More
when to introduce an application services tier in an n-tier application

as seen on Programmers - Search for 'Programmers'
I am developing a web based application whose primary objective is to fetch data from the database, display it on the UI, take in user inputs and write them back to the database. The application is not going to be doing any industrial strength algorithm crunching, but will be receiving a very high… >>> More
What is a best practice tier structure of a Java EE 6/7 application?

as seen on Programmers - Search for 'Programmers'
I was attempting to find a best practice for modeling the tiers in a Java EE application yesterday and couldn't come up with anything current. In the past, say java 1.4, it was four tiers: Presentation Tier Web Tier Business Logic Tier DAL (Data Access Layer ) which I always considered a tier and… >>> More
How to handle server failure in an n-tier architecture?

as seen on Server Fault - Search for 'Server Fault'
Imagine I have an n-tier architecture in an auto-scaled cloud environment with say: a load balancer in a failover pair reverse proxy tier web app tier db tier Each tier needs to connect to the instances in the tier below. What are the standard ways of connecting tiers to make them resilient to… >>> More
Top Tier, A-Game Talent - How to Land em'

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Recently the question came up from a close friend of mine, "will my PhD help me attain a higher income in the north west?" I had to tell him, that it might get him a little more, but it won't get him in the top income brackets for the occupation. Another time, a few days later, someone else asked… >>> More

Related posts about sso

SSO in Weblogic server

as seen on Oracle Blogs - Search for 'Oracle Blogs'
Configuring Single Sign-On in Oracle Fusion Middleware ReferenceOracle Fusion Middleware Security OverviewOracle Fusion Middleware Security GuideOracle Fusion Middleware Securing Oracle WebLogic Server >>> More
Sharepoint SSO bulk creation of user accounts

as seen on Stack Overflow - Search for 'Stack Overflow'
Hopefully someone can help... I need to provide client with a solution to allow bulk creation of user accounts into SharePoint SSO. The client wants to provide an excel spreadsheet with accounts, usernames and passwords and have that created in the SSO database. I've been told its possible but… >>> More
Log in using Java where server's authentication could be sso or web applcation container's basic

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I have a situation where ideally I want to be able to log-in to a secure area using a Java application. I would like to make an HTTP request and check the response to see if I need to do some kind of authenication before I can actually get the response expected, instead of effectively some… >>> More
AuthnRequest Settings in OIF / SP

as seen on Oracle Blogs - Search for 'Oracle Blogs'
In this article, I will list the various OIF/SP settings that affect how an AuthnRequest message is created in OIF in a Federation SSO flow. The AuthnRequest message is used by an SP to start a Federation SSO operation and to indicate to the IdP how the operation should be executed: … >>> More
E-Business Integration with SSO using AccessGate

as seen on Oracle Blogs - Search for 'Oracle Blogs'
Moving away from the legacy Oracle SSO, Oracle E-Business Suite (EBS) came up with EBS AccessGate as the way forward to provide Single Sign On with Oracle Access Manager (OAM). As opposed to AccessGate in OAM terminology, EBS AccessGate has no specific connection with OAM with respect to configuration… >>> More