Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JAX-WS and BASIC authentication, when user names and passwords are in a database

Tags:

I'm new to JAX-WS and there's a thing which I don't understand.

There's a ton of tutorials available on how to set up JAX-WS security, but in pretty much all cases BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY are stored in some .xml file(depending on the container I believe) - they are "hardcoded" that is. And that's what I don't get. How can I authenticate a web service client by comparing BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY with a user name and password that's in a database? I tried setting BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY on the client side like this:

    ShopingCartService scs = new ShopingCartService(wsdlURL, name);     ShopingCart sc = scs.getShopingCartPort();     Map<String, Object> requestContext = ((BindingProvider)sc).getRequestContext();     requestContext.put(BindingProvider.USERNAME_PROPERTY, userName);     requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);     sc.someFunctionCall(); 

And then, on the server side retrieving like this:

@Resource WebServiceContext wsContext;  @WebMethod public void someFunctionCall() {     MessageContext mc = wsContext.getMessageContext();     mc.get(BindingProvider.USERNAME_PROPERTY);     mc.get(BindingProvider.PASSWORD_PROPERTY); } 

But I always get null, I didn't set up anything in xml, web service works just fine, except I can't get those variables :(

I'm running both on java 1.6, tomcat 6 and JAX-WS.

Any help with authenticating users with passwords from a database is greatly appreciated, Thanks.

like image 459
ahoge Avatar asked Oct 23 '09 12:10

ahoge


People also ask

How can I pass my basic auth username and password?

We can do HTTP basic authentication URL with @ in password. We have to pass the credentials appended with the URL. The username and password must be added with the format − https://username:password@URL.

How do you authenticate a SOAP web service in Java?

Authentication can be with username/password - with UsernameToken or certificate based. Since you are Java based - you can use the open source WSO2 Application Server to deploy your service and with few clicks you can secure your service.

How do I add basic authentication to WSDL?

Basic authentication is supported by specifying a policy in the WSDL. A basic authentication policy can be added to the WSDL either manually or by using the WS-Policy Attachment window accessed from CASA and provided through Tango (WSIT).

What is JAX-WS used for?

JAX-WS is a technology for building web services and clients that communicate using XML. JAX-WS allows developers to write message-oriented as well as RPC-oriented web services. In JAX-WS, a web service operation invocation is represented by an XML-based protocol such as SOAP.


2 Answers

I think you are looking for JAX-WS authentication in application level, not HTTP basic in server level. See following complete example :

Application Authentication with JAX-WS

On the web service client site, just put your “username” and “password” into request header.

Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext(); req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);  Map<String, List<String>> headers = new HashMap<String, List<String>>(); headers.put("Username", Collections.singletonList("someUser")); headers.put("Password", Collections.singletonList("somePass")); req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers); 

On the web service server site, get the request header parameters via WebServiceContext.

@Resource WebServiceContext wsctx;  @WebMethod public String method() {     MessageContext mctx = wsctx.getMessageContext();      Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);     List userList = (List) http_headers.get("Username");     List passList = (List) http_headers.get("Password");     //... 
like image 172
mkyong Avatar answered Sep 28 '22 05:09

mkyong


BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY are matching HTTP Basic Authentication mechanism that enable authentication process at the HTTP level and not at the application nor servlet level.

Basically, only the HTTP server will know the username and the password (and eventually application according to HTTP/application server specification, such with Apache/PHP). With Tomcat/Java, add a login config BASIC in your web.xml and appropriate security-constraint/security-roles (roles that will be later associated to users/groups of real users).

<login-config>     <auth-method>BASIC</auth-method>     <realm-name>YourRealm</realm-name> </login-config> 

Then, connect the realm at the HTTP server (or application server) level with the appropriate user repository. For tomcat you may look at JAASRealm, JDBCRealm or DataSourceRealm that may suit your needs.

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

like image 21
snowflake Avatar answered Sep 28 '22 04:09

snowflake