the fully source code for this example can be found at following gitHub repository.
Download code From GitHub
clone the project from gitHub and use the maven to build the project.
then deploy the web service in the tomcat server. (just copy the war file and i have already done the required web.xml and sun-haxws.xml configurations.)
if you want to know, how to deploy the web service in tomcat, you can refer my previous blog post here
once the web service is deployed, you can run the web service client to test the web service and see how it works.
In application authentication, then authentication logic will be implemented there in the web service. therefore the web service will be responsible for handling the user authentication.
the web service client will send the user credentials (username and password) to the web service. please refer the following WebService Client.
The web service will extract the user login credentials (username and password) from the HTTP Request Headers and will perform the user authentication.
(here we have hard coded the username and password for the demostration purpose and to make it more simple. in the production mode, you need to move then database)
if the user authentication is successful, he will be able to access the web service. otherwise it will throw a HttpException as implemented. refer the following web service implementation.
Thanks
Chathuranga Tennakoon
chathuranga.t@gmail.com
Download code From GitHub
clone the project from gitHub and use the maven to build the project.
then deploy the web service in the tomcat server. (just copy the war file and i have already done the required web.xml and sun-haxws.xml configurations.)
if you want to know, how to deploy the web service in tomcat, you can refer my previous blog post here
once the web service is deployed, you can run the web service client to test the web service and see how it works.
In application authentication, then authentication logic will be implemented there in the web service. therefore the web service will be responsible for handling the user authentication.
the web service client will send the user credentials (username and password) to the web service. please refer the following WebService Client.
package com.chathurangaonline.jaxws.samples.client;
import com.chathurangaonline.jaxws.samples.impl.*;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.handler.MessageContext;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
public class WebServiceClientImpl {
public static void main(String [] args){
CalculatorServiceImplService calculatorServiceImplService = new CalculatorServiceImplService();
CalculatorServiceImpl calculatorService = calculatorServiceImplService.getCalculatorServiceImplPort();
Map<String, Object> req_ctx = ((BindingProvider)calculatorService).getRequestContext();
Map<String, List<String>> headers = new HashMap<String, List<String>>();
//setting up the username and password
headers.put("Username", Collections.singletonList("chathuranga"));
headers.put("Password", Collections.singletonList("chathu@123"));
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);
//in order to invoke the add method, you need to have valid login credentials
double answer = calculatorService.add(45,10);
System.out.println(" answer is ["+answer+"]");
}
}
The web service will extract the user login credentials (username and password) from the HTTP Request Headers and will perform the user authentication.
(here we have hard coded the username and password for the demostration purpose and to make it more simple. in the production mode, you need to move then database)
if the user authentication is successful, he will be able to access the web service. otherwise it will throw a HttpException as implemented. refer the following web service implementation.
package com.chathurangaonline.jaxws.samples.impl;
import com.chathurangaonline.jaxws.samples.CalculatorService;
import javax.annotation.Resource;
import javax.jws.WebService;
import javax.xml.ws.WebServiceContext;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.http.HTTPException;
import java.util.List;
import java.util.Map;
@WebService
public class CalculatorServiceImpl implements CalculatorService{
@Resource
private WebServiceContext webServiceContext;
@Override
public double add(double num1, double num2) {
//todo username and password was hardcoded only for the demonstration purpose. this should be configured to look up from database or somewhere else
if(isAuthenticated("chathuranga","chathu@123")){
//allowing the operation for the authenticated user
return num1 + num2;
}
else{
//non-authenticated user.
throw new HTTPException(401);
}
}
@Override
public double multiply(double num1, double num2) {
return num1 * num2;
}
/**
* <p>
* method for checking the application level authentication using the username and password provided.
* </p>
* @param username - username provided as {@link java.lang.String}
* @param password - password provided as {@link java.lang.String}
* @return {@link java.lang.Boolean} (true if user authenticated, otherwise false)
*/
private boolean isAuthenticated(String username, String password){
if(username!=null && password!=null){
MessageContext messageContext = webServiceContext.getMessageContext();
Map httpHeaders = (Map) messageContext.get(MessageContext.HTTP_REQUEST_HEADERS);
List usernameList = (List) httpHeaders.get("username");
List passwordList = (List) httpHeaders.get("password");
if((usernameList!=null && usernameList.contains(username)) && (passwordList!=null && passwordList.contains(password))){
return true;
}
}
return false;
}
}
The main problem with Application Authentication is the mix of security logic with the business logic might mess the code. it add some unnecessary complexity for the code with tight coupling. as a solution for this, we can go for the Container Managed Authentication and that will be my next blog post ;)Thanks
Chathuranga Tennakoon
chathuranga.t@gmail.com
No comments:
Post a Comment