JAX-WS and BASIC authentication, when user names and passwords are in a database

Asked 23/10, 2009 at 12:48 Answered 10/11, 2020 at 20:1

java jax-ws tomcat6 basic-authentication

I'm new to JAX-WS and there's a thing which I don't understand.

There's a ton of tutorials available on how to set up JAX-WS security, but in pretty much all cases BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY are stored in some .xml file(depending on the container I believe) - they are "hardcoded" that is. And that's what I don't get. How can I authenticate a web service client by comparing BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY with a user name and password that's in a database? I tried setting BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY on the client side like this:

    ShopingCartService scs = new ShopingCartService(wsdlURL, name);
    ShopingCart sc = scs.getShopingCartPort();
    Map<String, Object> requestContext = ((BindingProvider)sc).getRequestContext();
    requestContext.put(BindingProvider.USERNAME_PROPERTY, userName);
    requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);
    sc.someFunctionCall();

And then, on the server side retrieving like this:

@Resource
WebServiceContext wsContext;

@WebMethod
public void someFunctionCall() {
    MessageContext mc = wsContext.getMessageContext();
    mc.get(BindingProvider.USERNAME_PROPERTY);
    mc.get(BindingProvider.PASSWORD_PROPERTY);
}

But I always get null, I didn't set up anything in xml, web service works just fine, except I can't get those variables :(

I'm running both on java 1.6, tomcat 6 and JAX-WS.

Any help with authenticating users with passwords from a database is greatly appreciated, Thanks.

Trireme answered 23/10, 2009 at 12:48 Comment(1)

I've also tried checking for BindingProvider.USERNAME_PROPERTY in a SOAPHandler, still null. – Trireme 23/10, 2009 at 12:50

I think you are looking for JAX-WS authentication in application level, not HTTP basic in server level. See following complete example :

Application Authentication with JAX-WS

On the web service client site, just put your “username” and “password” into request header.

Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);

Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("Username", Collections.singletonList("someUser"));
headers.put("Password", Collections.singletonList("somePass"));
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

On the web service server site, get the request header parameters via WebServiceContext.

@Resource
WebServiceContext wsctx;

@WebMethod
public String method() {
    MessageContext mctx = wsctx.getMessageContext();

    Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
    List userList = (List) http_headers.get("Username");
    List passList = (List) http_headers.get("Password");
    //...

Yoo answered 16/12, 2010 at 11:25 Comment(1)

May I ask from where did you get such information ? I need the official source of information but I couldn't find any official source with enough information ! – Sedgemoor 28/8, 2013 at 13:9

BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY are matching HTTP Basic Authentication mechanism that enable authentication process at the HTTP level and not at the application nor servlet level.

Basically, only the HTTP server will know the username and the password (and eventually application according to HTTP/application server specification, such with Apache/PHP). With Tomcat/Java, add a login config BASIC in your web.xml and appropriate security-constraint/security-roles (roles that will be later associated to users/groups of real users).

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>YourRealm</realm-name>
</login-config>

Then, connect the realm at the HTTP server (or application server) level with the appropriate user repository. For tomcat you may look at JAASRealm, JDBCRealm or DataSourceRealm that may suit your needs.

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

Lovesick answered 22/1, 2010 at 9:47 Comment(0)

I had the same problem, and found the solution here :

http://www.mastertheboss.com/web-interfaces/336-jax-ws-basic-authentication.html?start=1

good luck

Gordie answered 17/1, 2012 at 16:23 Comment(1)

thanks (would be better to copy/paste here the solution... :P) – Alita 13/9, 2017 at 13:0

For an example using both, authentication on application level and HTTP Basic Authentication see one of my previous posts.

Guideboard answered 31/1, 2012 at 9:2 Comment(0)

I was face-off a similar situation, I need to provide to my WS: Username, Password and WSS Password Type.

I was initially using the "Http Basic Auth" (as @ahoge), I tried to use the @Philipp-Dev 's ref. too. I didn't get a success solution.

After a little deep search at google, I found this post:

https://mcmap.net/q/582747/-jax-ws-password-type-passwordtext

And there was my problem solution

I hope this can help to anyone else, like helps to me.

Rgds, iVieL

Decedent answered 13/3, 2012 at 16:29 Comment(0)

In your client SOAP handler you need to set javax.xml.ws.security.auth.username and javax.xml.ws.security.auth.password property as follow:

public class ClientHandler implements SOAPHandler<SOAPMessageContext>{

    public boolean handleMessage(final SOAPMessageContext soapMessageContext)
    {
        final Boolean outInd = (Boolean)soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
        if (outInd.booleanValue())
        {
          try 
          {
               soapMessageContext.put("javax.xml.ws.security.auth.username", <ClientUserName>);
               soapMessageContext.put("javax.xml.ws.security.auth.password", <ClientPassword>);
          } 
          catch (Exception e)
          {
               e.printStackTrace();
               return false;
          }
         }
      return true;
     }
}

Xuthus answered 3/10, 2018 at 11:12 Comment(0)

If you put the username and password at clientside into the request this way:

URL url = new URL("http://localhost:8080/myapplication?wsdl");
MyWebService webservice = new MyWebServiceImplService(url).getMyWebServiceImplPort();
Map<String, Object> requestContext = ((BindingProvider) webservice).getRequestContext();
requestContext.put(BindingProvider.USERNAME_PROPERTY, "myusername");
requestContext.put(BindingProvider.PASSWORD_PROPERTY, "mypassword");

and call your webservice

String response = webservice.someMethodAtMyWebservice("test");

Then you can read the Basic Authentication string like this at the server side (you have to add some checks and do some exceptionhandling):

@Resource
WebServiceContext webserviceContext;

public void someMethodAtMyWebservice(String parameter) {
    MessageContext messageContext = webserviceContext.getMessageContext();
    Map<String, ?> httpRequestHeaders = (Map<String, ?>) messageContext.get(MessageContext.HTTP_REQUEST_HEADERS);
    List<?> authorizationList = (List<?>) httpRequestHeaders.get("Authorization");
    if (authorizationList != null && !authorizationList.isEmpty()) {
        String basicString = (String) authorizationList.get(0);
        String encodedBasicString = basicString.substring("Basic ".length());
        String decoded = new String(Base64.getDecoder().decode(encodedBasicString), StandardCharsets.UTF_8);
        String[] splitter = decoded.split(":");
        String usernameFromBasicAuth = splitter[0];
        String passwordFromBasicAuth = splitter[1];
    }

Ka answered 10/11, 2020 at 20:1 Comment(0)

Recommended topics

Hot tags