Home/ Questions/Q 6065351
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T09:22:50+00:00

I have a SOA which makes heavy use of nonces (i.e, one-time one-use security

  • 0

I have a SOA which makes heavy use of nonces (i.e, one-time one-use security tokens).

My app takes a nonce from a client, verifies it, then sends a new nonce back to said client as part of every reply. Also included in each reply are the results of business logic operations that executed right after the nonce was authenticated.

The nonce verification and generation are operationally coupled with the business logic, since both occur in response to every client request. However I don’t want the two to be coupled in code. What’s the right way to partition them in accordance with SOA principles? Is it too much to break the security and business logic into two separate services, with one calling the other as part of each reply to each client request?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes it makes sense to separate them. But I don’t think they should have awareness of each other at all (Call each other directly).

    I’ll dive into a specific example and technology of how something similar is implemented.

    In the web frame work Struts2 all incoming requests pass through a stack of operations(called interceptors) before arriving at a user defined object (called an action). The action then will access the business tier.

    When submitting a web form there is the issue of double submission. So one way to protect against this is with a token that is sent along with the form submission. So we need to create a unique token place it as a hidden field, and then when we receive the request only process it if the token is good. This prevent users from doing something like accidentally buying something more than once.

    In Struts2 there is a special server side token tag which creates the hidden field for us. So there is something that needs to be done for each form. The token interceptor if active will enforce that this value always exists and is good when receiving the form and will redirect responses that do not somewhere else.

    The idea of implementing a nonces interceptor/filter that checks that the incoming nonce value is good and for responses adds the correct nonces value to the response should be completely independent of the business logic.

    The example here is with html forms but adding an interceptor(or whatever you call “that which handles cross cutting concerns at the request/response level” for your appropriate technology) which adds such a value to json or xml messages should be pretty easy and likely produce the most elegant result.

    The following is a link to struts2 interceptor reference (it might clarify the idea better):
    http://struts.apache.org/2.2.1.1/docs/interceptors.html

    The following two links are both interceptors which manage tokens:
    http://struts.apache.org/2.2.1.1/docs/token-interceptor.html

    http://struts.apache.org/2.2.1.1/docs/token-session-interceptor.html

    I expect only the first few paragraphs of each link will be useful but something like it for your technology should be nice.

    • 0