JSTL and authenticated web services

Question

Can I access an authenticated web service using JSTL? (Form-based authentication)

If I can't do it using JSTL, is there any other way I do it from a JSP?

---

Maybe I need to give a little more information. I'm using the core library:

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>

and the import tag, as in:

<c:import var="xml" url="http://my.service.com/api/xml"/>

Where http://my.service.com/api/xml is a web service requiring form-based authentication - if I try to access it in a browser, I'm prompted for a username and password in a web form, not a popup window.

sorry, I'm no web services expert as you can tell - fingers crossed for an easy solution :)

Answer 1

@Brabster as @duffymo said, jstl has nothing to do with web services authentication.

If you need to avoid display the authentication page inside some JSP, maybe you can get around with a custom tag which will deal with authentication. How would you authenticate to your web service in a simple console program with a main method? If you know how to do it, integrating that code in a custom tag is easy.

Answer 2

Here's an open source library, http://spnego.sourceforge.net/protected_soap_service.html , that has an example on connecting to a web service that is protected via integrated windows authentication.

The library is implemented as a servlet filter.

Answer 3

What's the purpose of calling a web service for authentication from JSTL, versus doing directly from your JSP/JSTL page, for example:

<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
<%@ taglib prefix="sql" uri="http://java.sun.com/jstl/sql" %>

<c:remove var="validUser" scope="session"/>
<c:if test="${empty param.user_name || empty param.password}">
 <c:redirect url="login.jsp"/>
</c:if> 

<sql:query var="users">
 SELECT 1 FROM users WHERE user_name = ? AND password = ?
 <sql:param value="${param.user_name}" />
 <sql:param value="${param.password}" />
</sql:query>
<c:if test="${users.rowCount == 0}">
 <c:redirect url="login.jsp"/>
</c:if>

Remember that in order to implement form-authentication you must indicate it in the web.xml file:

<login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
  <form-login-page>/main/login.jsp</form-login-page>
 </form-login-config>
</login-config>

If what you want is to consume some webservice by using Tag Libraries you can use JSP Tag Library for Web Services from the Java Community.

Answer 4

JSTL == JSP Standard Tag Library? If so, I don't see how JSTL and JSP are different.

If you add tokens to HTML or SOAP headers, you're assuming that the web service knows how to get at them and how to consume them. Form-based authentication uses j_username and j_password for the form element parameter names.

I'd say that security should be a cross-cutting concern. A filter or aspect should be able to get those values out of the HTTP headers and authenticate for you.