Authentication example in JAX-WS webservice

Before going through this tutorial please make sure that you have the following jars in classpath. You can create simple Java project or Dynamic Web Project in Eclipse. I will create Java Project here. If you create Dynamic Web Project then you can directly deploy the service to the server and in this case you don’t need to write a class for endpoint pulishing.
Please download the jars and put under WEB-INF/lib directory.

jax-ws webservice example

I am going to give an example on how to implement a simple application level authentication in JAX-WS. In this tutorial I am going to authenticate a client to the endpoint server.

The idea is straight forward. The client who wants to consume the Service, will have to authenticate using sending the credentials like username and password in the HTTP Request Header. Then server retrieves these username and password from header information and validates the client’s identity. In reality password should be encrypted to achieve an acceptable level of security. But in this tutorial I am going to keep things as simple as possible, but you keep in mind that authentication along with session management are hard and crucial issues when developing a secure Web application.

Service Endpoint
First we need to create a Web Service Endpoint Interface. This interface will contain the declarations of all the methods for the Web Service.
Then we have to create a class that actually implements the above interface, which will be our Endpoint implementation.

Web Service Endpoint Interface (SEI)

 

Web Service Endpoint Implementation

As discussed previously, the server would have to read the HTTP request header information which the client put, and validate its identity. Service Endpoint Implementation obtains a MessageContext object through a WebServiceContext for accessing the objects of the message. The WebServiceContext interface enables a web service endpoint implementation class to access message contexts and security information of the requester. The service runtime will inject the WebServiceContext on any field marked with @Resource annotation. We will call the WebServiceContext‘s getMessageContext() method to get MessageContext instance.

The HTTP Request Header will be retrieved using MessageContext’s get method with MessageContext.HTTP_REQUEST_HEADERS as a parameter which nominates the kind of context we need from the message. The Header will be retrieved as a Map which is very convenient because you can specify (key,value) pairs directy. Thus, we retrieve the corespoding credentials.

 

Web Service Endpoint Publisher

 

Once we run the above publisher class the Web Service will be available to the clients, deployed in the URL:
http://localhost:8888/jax-ws-auth/hello

And this is the wsdl file that automatically created and
published at: http://localhost:8888/jax-ws-auth/hello?WSDL

WSDL:

 

Java Web Service Client

The client will consume the web service so the client has to make a new HTTP Request Header containing its username and password. To access and manupulate the request contexts of the message the client has to get a BindingProvider from the service port using getRequestContext() method. The BindingProvider interface enables the client to access and manipulate the associated context objects for request and response messages. The Request Context is retrieved as a Map object. MessageContext.ENDPOINT_ADDRESS_PROPERTY is used to nominate the target service endpoint address. Now we need to add two properties username and password to the Map object. Then we put this Map object in MessageContext.HTTP_REQUEST_HEADERS.

 

The output will be:

if username – user and password – pass

 

if username – other than user or password – other than pass

 

That’s all. Thank you for your patience. Please do not forget to leave a comment.

Soumitra

Software Professional, I am passionate to work on web/enterprise application. For more information please go to about me. You can follow on Twitter. You can be a friend on Facebook or Google Plus or Linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.