Saturday, November 2, 2013

Application Authentication for JAX-WS web services

 the fully source code for this example can be found at  following gitHub repository.

Download code From GitHub

clone the project from gitHub and use the maven to build the project.
then deploy the web service in the tomcat server. (just copy the war file and i have already done the required web.xml and sun-haxws.xml configurations.)

if you want  to know, how to deploy the web service in tomcat, you can refer my previous blog post here

once the web service is deployed, you can run the web service client to test the web service and see how it works.

In application authentication, then authentication logic will be implemented there in the web service. therefore the web service will be responsible for handling the user authentication.

the web service client will send the user credentials (username and password) to the web service. please refer the following WebService Client.

package com.chathurangaonline.jaxws.samples.client;

import com.chathurangaonline.jaxws.samples.impl.*;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

public class WebServiceClientImpl {

    public static void main(String [] args){

        CalculatorServiceImplService calculatorServiceImplService = new CalculatorServiceImplService();
        CalculatorServiceImpl calculatorService = calculatorServiceImplService.getCalculatorServiceImplPort();

        Map<String, Object> req_ctx = ((BindingProvider)calculatorService).getRequestContext();
        Map<String, List<String>> headers = new HashMap<String, List<String>>();

        //setting up the username and password 
        headers.put("Username", Collections.singletonList("chathuranga"));
        headers.put("Password", Collections.singletonList("chathu@123"));
        req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

        //in order to invoke the add method, you need to have valid login credentials
        double answer =  calculatorService.add(45,10);
        System.out.println(" answer is ["+answer+"]");

The web service will extract the user login credentials (username and password) from the HTTP Request Headers and  will perform the user authentication.
(here we have hard coded the username and password for the demostration purpose and to make it more simple. in the production mode, you need to move then  database) 
 if the user authentication is successful, he will be able to access the web service. otherwise it will throw a HttpException as implemented.  refer the following web service implementation.

package com.chathurangaonline.jaxws.samples.impl;

import com.chathurangaonline.jaxws.samples.CalculatorService;
import javax.annotation.Resource;
import javax.jws.WebService;
import java.util.List;
import java.util.Map;

public class CalculatorServiceImpl implements CalculatorService{

    private WebServiceContext webServiceContext;

    public double add(double num1, double num2) {
        //todo username and password was hardcoded only for the demonstration purpose. this should be configured to look up from database or somewhere else
            //allowing the operation for the authenticated user
            return num1 + num2;
            //non-authenticated user.
            throw  new HTTPException(401);

    public double multiply(double num1, double num2) {
        return num1 * num2;

     * <p>
     *     method for checking the application level authentication using the username and password provided.
     * </p>
     * @param username - username provided as {@link java.lang.String}
     * @param password - password provided as {@link java.lang.String}
     * @return {@link java.lang.Boolean} (true if user authenticated, otherwise false)
    private boolean isAuthenticated(String username, String password){
        if(username!=null && password!=null){
            MessageContext messageContext = webServiceContext.getMessageContext();
            Map httpHeaders  = (Map) messageContext.get(MessageContext.HTTP_REQUEST_HEADERS);

            List usernameList  = (List) httpHeaders.get("username");
            List passwordList = (List) httpHeaders.get("password");

            if((usernameList!=null && usernameList.contains(username)) && (passwordList!=null && passwordList.contains(password))){
                return true;
        return false;

The main problem with Application Authentication is the mix of security logic with the business logic might mess the code. it add some unnecessary complexity for the code with tight coupling. as a solution for this, we can go for the Container Managed Authentication and that will be my next blog post ;)

Chathuranga Tennakoon

No comments:

Post a Comment