JAX-WS and BASIC authentication when user names and passwords are in a database

Question

I m new to JAX-WS and there s a thing which I don t understand   There s a ton of tutorials available on how to set up JAX-WS security  but in pretty much all cases BindingProvider USERNAME PROPERTY and BindingProvider PASSWORD PROPERTY are stored in some  xml file depending on the container I believe  - they are  hardcoded  that is  And that s what I don t get  How can I authenticate a web service client by comparing BindingProvider USERNAME PROPERTY and BindingProvider PASSWORD PROPERTY with a user name and password that s in a database  I tried setting BindingProvider USERNAME PROPERTY and BindingProvider PASSWORD PROPERTY on the client side like this       ShopingCartService scs   new ShopingCartService wsdlURL  name       ShopingCart sc   scs getShopingCartPort        Map lt String  Object gt  requestContext     BindingProvider sc  getRequestContext        requestContext put BindingProvider USERNAME PROPERTY  userName       requestContext put BindingProvider PASSWORD PROPERTY  password       sc someFunctionCall      And then  on the server side retrieving like this    Resource WebServiceContext wsContext    WebMethod public void someFunctionCall         MessageContext mc   wsContext getMessageContext        mc get BindingProvider USERNAME PROPERTY       mc get BindingProvider PASSWORD PROPERTY       But I always get null  I didn t set up anything in xml  web service works just fine  except I can t get those variables     I m running both on java 1 6  tomcat 6 and JAX-WS   Any help with authenticating users with passwords from a database is greatly appreciated  Thanks

User · Answer

I think you are looking for JAX-WS authentication in application level, not HTTP basic in server level. See following complete example :

Application Authentication with JAX-WS

On the web service client site, just put your “username” and “password” into request header.

Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);

Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("Username", Collections.singletonList("someUser"));
headers.put("Password", Collections.singletonList("somePass"));
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

On the web service server site, get the request header parameters via WebServiceContext.

@Resource
WebServiceContext wsctx;

@WebMethod
public String method() {
    MessageContext mctx = wsctx.getMessageContext();

    Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
    List userList = (List) http_headers.get("Username");
    List passList = (List) http_headers.get("Password");
    //...

User · Answer

I had the same problem  and found the solution here     http   www mastertheboss com web-interfaces 336-jax-ws-basic-authentication html start 1  good luck

User · Answer

If you put the username and password at clientside into the request this way  URL url   new URL  quot http   localhost 8080 myapplication wsdl quot    MyWebService webservice   new MyWebServiceImplService url  getMyWebServiceImplPort    Map lt String  Object gt  requestContext     BindingProvider  webservice  getRequestContext    requestContext put BindingProvider USERNAME PROPERTY   quot myusername quot    requestContext put BindingProvider PASSWORD PROPERTY   quot mypassword quot     and call your webservice String response   webservice someMethodAtMyWebservice  quot test quot     Then you can read the Basic Authentication string like this at the server side  you have to add some checks and do some exceptionhandling    Resource WebServiceContext webserviceContext   public void someMethodAtMyWebservice String parameter        MessageContext messageContext   webserviceContext getMessageContext        Map lt String    gt  httpRequestHeaders    Map lt String    gt   messageContext get MessageContext HTTP REQUEST HEADERS       List lt   gt  authorizationList    List lt   gt   httpRequestHeaders get  quot Authorization quot        if  authorizationList    null  amp  amp   authorizationList isEmpty              String basicString    String  authorizationList get 0           String encodedBasicString   basicString substring  quot Basic  quot  length             String decoded   new String Base64 getDecoder   decode encodedBasicString   StandardCharsets UTF 8           String   splitter   decoded split  quot   quot            String usernameFromBasicAuth   splitter 0           String passwordFromBasicAuth   splitter 1

User · Answer

In your client SOAP handler you need to set javax xml ws security auth username and javax xml ws security auth password property as follow   public class ClientHandler implements SOAPHandler lt SOAPMessageContext gt        public boolean handleMessage final SOAPMessageContext soapMessageContext                final Boolean outInd    Boolean soapMessageContext get MessageContext MESSAGE OUTBOUND PROPERTY           if  outInd booleanValue                        try                             soapMessageContext put  javax xml ws security auth username    lt ClientUserName gt                   soapMessageContext put  javax xml ws security auth password    lt ClientPassword gt                           catch  Exception e                             e printStackTrace                   return false                               return true

User · Answer

For an example using both  authentication on application level and HTTP Basic Authentication see one of my previous posts

User · Answer

I was face-off a similar situation  I need to provide to my WS  Username  Password and WSS Password Type   I was initially using the  Http Basic Auth   as  ahoge   I tried to use the  Philipp-Dev  s ref  too  I didn t get a success solution   After a little deep search at google  I found this post   https   stackoverflow com a 3117841 1223901  And there was my problem solution  I hope this can help to anyone else  like helps to me   Rgds  iVieL

User · Answer

BindingProvider USERNAME PROPERTY and BindingProvider PASSWORD PROPERTY are matching HTTP Basic Authentication mechanism that enable authentication process at the HTTP level and not at the application nor servlet level   Basically  only the HTTP server will know the username and the password  and eventually application according to HTTP application server specification  such with Apache PHP   With Tomcat Java  add a login config BASIC in your web xml and appropriate security-constraint security-roles  roles that will be later associated to users groups of real users     lt login-config gt       lt auth-method gt BASIC lt  auth-method gt       lt realm-name gt YourRealm lt  realm-name gt   lt  login-config gt    Then  connect the realm at the HTTP server  or application server  level with the appropriate user repository  For tomcat you may look at JAASRealm  JDBCRealm or DataSourceRealm that may suit your needs   http   tomcat apache org tomcat-6 0-doc realm-howto html

[java] JAX-WS and BASIC authentication, when user names and passwords are in a database

Examples related to java

Examples related to jax-ws

Examples related to tomcat6

Examples related to basic-authentication