tags:

views:

3391

answers:

1
+1  Q: 

JAX-WS and BASIC authentication, when user names and passwords are in a database.

Hi, I'm new to JAX-WS and there's a thing which I don't understand.

There's a ton of tutorials available on how to set up JAX-WS security, but in pretty much all cases BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY are stored in some .xml file(depending on the container I believe) - they are "hardcoded" that is. And that's what I don't get. How can I authenticate a web service client by comparing BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY with a user name and password that's in a database? I tried setting BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY on the client side like this:

ShopingCartService scs = new ShopingCartService(wsdlURL, name);
     ShopingCart sc = scs.getShopingCartPort();
     Map requestContext = ((BindingProvider)sc).getRequestContext();
     requestContext.put(BindingProvider.USERNAME_PROPERTY, userName);
     requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);
        sc.someFunctionCall();

And then, on the server side retrieving like this:

@Resource
    WebServiceContext wsContext;

    @WebMethod
    public void someFunctionCall() {
        MessageContext mc = wsContext.getMessageContext();
        mc.get(BindingProvider.USERNAME_PROPERTY);
        mc.get(BindingProvider.PASSWORD_PROPERTY);
    }

But I always get null, I didn't set up anything in xml, web service works just fine, except I can't get those variables :(

I'm running both on java 1.6, tomcat 6 and JAX-WS from https://jax-ws.dev.java.net/.

Any help with authenticating users with passwords from a database is greatly appreciated, Thanks.

A: 

BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY are matching HTTP Basic Authentication mechanism that enable authentication process at the HTTP level and not at the application nor servlet level.

Basically, only the HTTP server will know the username and the password (and eventually application according to HTTP/application server specification, such with Apache/PHP). With Tomcat/Java, add a login config BASIC in your web.xml and appropriate security-constraint/security-roles (roles that will be later associated to users/groups of real users).

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>YourRealm</realm-name>
</login-config>

Then, connect the realm at the HTTP server (or application server) level with the appropriate user repository. For tomcat you may look at JAASRealm, JDBCRealm or DataSourceRealm that may suit your needs.

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

snowflake  2010-01-22 09:47:46

related questions

Implementing Admin Module on Tomcat 6
Tomcat: Caching SWF files with varying query strings
Tomcat cluster fails and generates tons of logs
How to determine the best number of threads in Tomcat?
How to create alias to the host
Avoiding tomcat status report
php java bridge not working on tomcat 6
Configuring Apache Web Server with Tomcat
Is there a practical HTTP Header length limit?
window service auto restart existing tomcat service everday
Tomcat 6 HTTP log rolling and purging
how to make tomcat 6 running mulitple domain with non ROOT application name
Tomcat 6 freezes at startup
Tomcat 6 and log4j application logging produce no output
Tomcat 6 Hot Deploy issue
Error with Tomcat 6 and Tomcat 5.5 Incompatibility
Tomcat startup fails with not a valid identifier
log4j with Tomcat6
Tomcat6, how to interpret stop service event ?
Howto embed Tomcat 6?
Tomcat 6.x Administration
How to deploy a WAR onto an existing Tomcat 6 instance using Cargo?
How to use htpasswd file in Tomcat 6
Problem creating a tomcat 6 server in eclipse form Ubuntu
Eclipse - How can I change a 'Project Facet' from Tomcat 6 to Tomcat 5.5?