Securing Web Service (BASIC auth)

Required Software

• latest build of NetBeans 5.5 (daily build or Beta2)
• latest build of GlassFish

Setting up the environment

• Start appserver and go to its admin console
• Navigate to Configuration -> Security -> Realms -> File, click on Manage Users and create new user, eg. jungi with password jungi who is a member of group user.

Coding the service (in webapplication)

The main difference between non-secure and secure ws in implementation is that we have to add RolesAllowed annotation to operations which can be called by users in some group.

package secure.ws;

import javax.annotation.security.RolesAllowed;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.WebParam;

@WebService(serviceName="SecureService")
public class SecureHelloService {
    
    @WebMethod(operationName="sayHello")
    @RolesAllowed("basicUser")
    public String operation(@WebParam(name="name") String param) {
        // implement the web service operation here
        return "Hello " + param;
    }
    
}

Declaring security in deployment descriptors

web.xml

Add following part to web.xml:

    <security-constraint>
        <display-name>WSConstraint</display-name>
        <web-resource-collection>
            <web-resource-name>WS</web-resource-name>
            <description/>
            <url-pattern>/*</url-pattern>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>basicUser</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description/>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>file</realm-name>
    </login-config>
    <security-role>
        <description/>
        <role-name>basicUser</role-name>
    </security-role>

sun-web.xml

And following part to sun-web.xml:

  <security-role-mapping>
    <role-name>basicUser</role-name>
    <group-name>user</group-name>
  </security-role-mapping>

Now we can deploy our web application

Calling the web service

Create a webservice client in J2SE project (I'll use package "test"), call ws operation from eg. main method of its main class and add 3 lines to generated ones:

package mypkg;

import java.util.Map;
import javax.xml.ws.BindingProvider;

public class Main {
    
    /** Creates a new instance of Main */
    public Main() {
    }
    
    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        try { // Call Web Service Operation
            test.SecureService service = new test.SecureService();
            test.SecureHelloService port = service.getSecureHelloServicePort();

            //set username and password for BASIC auth
            Map context = ((BindingProvider) port).getRequestContext();
            context.put(BindingProvider.USERNAME_PROPERTY, "jungi");
            context.put(BindingProvider.PASSWORD_PROPERTY, "jungi");

            // TODO initialize WS operation arguments here
            java.lang.String name = "Lukas";
            // TODO process result here
            java.lang.String result = port.sayHello(name);
            System.out.println("Result = "+result);
        } catch (Exception ex) {
            // TODO handle custom exceptions here
        }
        // TODO code application logic here
    }
    
}

Now we can simply run a project and see the output similar to:

run:
Result = Hello Lukas
BUILD SUCCESSFUL (total time: 1 second)

Posted at 08:50PM Jul 18, 2006 by jungi in NetBeans  |