Web service clients can be implemented as JavaServer Pages, servlets, or Java applications, or as executables written in C++, Perl, Visual Basic, JavaScript. A truly ubiquitous protocol. In this article, I use a Java application as a Web service client and show how to secure that client from an authentication and authorization standpoint via Role-based Access Control (RBAC). Basically, role-based authorization is achieved by using:

• A SAML (Security Assertion Markup Language) token provisioned as a Group Principal used within the Web service client.
• The JAAS (Java Authentication and Authorization Service) Framework to contain the Group Principal information in the JAAS Subject.
• A Custom API that is specified in a similar fashion to standard privileges management systems that provide authorization behavior.