Web Service Security --- Application Authentication

Container-Managed Security for Web Service

 

(Tomcat  is the reference implementation, it can not only be used to published Restful web service as servlet, but also can publish SOAP-based web service.)

It provides not only user authentication but also wire-level security. 

 

Securing the @WebService underTomcat

You should ensure that the Tomcat connector for SSL/TLS is enabled. Tomcat connector is an endpoint for client request. You need to update tomcat configuration file config/server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" redirectPort="8443"

   SSLEnabled="true" maxThreads="150"  scheme="https"

   secure="true"  clientAuth="false"  sslProtocol="TLS"   keystoreFile="/conf/server.keystore" keystorePass="123456" />

 

keystore and truststore, that have same format, client uses truststore to compare the certificate from Tomcat.

Client code to invoke web service.

public class Test {

      public static final String END_POINT = "https://localhost:8443/WebServiceExample/tc?wsdl";

      /**

       * @param args

       */

      public static void main(String[] args) {

            TempConvertImplService port = new TempConvertImplService();

            TempConvert service = port.getTempConvertImplPort();

           

            //

            Map<String, Object> req_ctx = ((BindingProvider)service).getRequestContext();

           

            req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, END_POINT);

           

            //place username and password into header which a non-java client could do as well.

            Map<String, List<String>> hdr = new HashMap<String, List<String>>();

            hdr.put("Username", Collections.singletonList("localhost"));

            hdr.put("Password", Collections.singletonList("123456tt"));

            req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, hdr);

           

            System.out.println(service.c2F(12.f));

            System.out.println(service.f2C(-40.1f));

      }

 

}

在SEI中添加authenticated()进行Authentication

@WebService(endpointInterface="com.csc.ws.temp.TempConvert")

public class TempConvertImpl implements TempConvert {

      @Resource

      WebServiceContext ws_ctx;

     

      @Override

      public float c2f(float c) {

            if (authenticated()) {

                  return 32.0f + (c * 9.0f/5.0f);

            } else {

                  System.err.println("Authentication failure with exception ");

                  throw new HTTPException(401);

            }

           

           

      }

 

      @Override

      public float f2c(float c) {

            if (authenticated()) {

                  return (5.0f/9.0f)*(c-32.0f);

            } else {

                  System.err.println("Authentication failure with exception ");

                  throw new HTTPException(401);

            }

           

      }

     

      private boolean authenticated(){

            MessageContext mctx = ws_ctx.getMessageContext();

            Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);

           

            List uList = (List) http_headers.get("Username");

            List plist = (List) http_headers.get("Password");

           

            if (uList.contains("localhost") && plist.contains("123456")) return true;

            else return false;

      }

 

}