Java SOAP webservice authentication engine

Asked

Viewed 3,193 times

4

I am building a Java webservice (wsdl) that will be consumed via SOAP. I need to implement a form of authentication in each method of the webservice so that each request is tested if the source is someone with permission.

I tried to follow this tutorial, but I didn’t get good results. My test code looked like this:

@WebMethod(operationName = "autentica")
public String autentica() {
    MessageContext mContext = wsContext.getMessageContext();

    Map http_headers = (Map) mContext.get(MessageContext.HTTP_REQUEST_HEADERS);
    List userList = (List) http_headers.get("Username");
    List passList = (List) http_headers.get("Password");

    String username = "";
    String password = "";

    if(userList != null) {
        username = userList.get(0).toString();
        System.out.println("User: " + userList.get(0).toString());
    }

    if(passList != null) {
        password = passList.get(0).toString();
        System.out.println("Pass: " + passList.get(0).toString());
    }

    if (username.equals("admin") && password.equals("admin")){
        return "Hello World JAX-WS - Valid User!";
    }else{
        return "Unknown User!";
    }
}

To consume the tested webservice with SOAPUI and an Ionic app using angular Soap 3.0 and in both headings came as null, causing it to be returned "Unknown User!"

Could someone tell me what I’m doing wrong or another form of authentication that I can use?

EDIT

IONIC App

Code used in the Ionic app to request for the webservice:

$soap.setCredentials("admin","admin");
$soap.post(url, "autentica").then(
    function(response) {
        console.log(response);
    }
);

Console output: Unknown User!

Soapui

Setting the authentication settings: inserir a descrição da imagem aqui

Return of the requisition: 

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
   <S:Body>
      <ns2:autenticaResponse xmlns:ns2="http://service.natal.rn.gov.br/">
          <return>Unknown User!</return>
      </ns2:autenticaResponse>
   </S:Body>
</S:Envelope>
java web-service authentication wsdl

  • Is the client code the same as in the tutorial? If not, post it as well...

  • Why not create a "token" tag? And if this token matches your registration, it is allowed

  • To enable BASIC authentication in a Webservice created with JAX-WS, the easiest way is to place a security restriction on the web.xml of the War package where it is. With this done, your IONIC or SOAPUI client will normally process the "Authorization" header and validate the user/password in the Resell that is configured for your application using JAAS. In your code, vc. will have access to the username using a type variable Webservicecontext annotated with @Resource and calling getUserPrincipal() method from it.

  • @Lucastorres The token strategy is valid, but the problem lies in receiving or sending data between endpoints.

  • @Philippesevestre I will review the code and try to do as you suggested. Soon I will return.

  • @Hamurabiaraujo An extra advantage of doing "by the spec": Depending on your application server, the change to support other authentication mechanisms (e.g., WS-Security) is restricted to configuration, without changing the code.

Show 1 more comment

1 answer

0

The most likely answer is that you is not inserting the headers User and Password at the time of calling the webservice.

In section 3 of tutorial that you indicated, is described as doing it the right way. In section 4 it shows how HTTP headers should reach the server.

Regarding the use of angular-Soap, the README.Md of the same indicates in example 5, how to configure credentials the way he thinks it should be: 

$soap.setCredentials("username","password");

Which in the end is something like: 

xmlHttp.setRequestHeader("Authorization", "Basic " + SOAPClient._toBase64(SOAPClient.userName + ":" + SOAPClient.password));

Which is nothing like your way of passing password and user.

It seems that SOAPUI recommends doing almost the same thing: https://www.soapui.org/soap-and-wsdl/authenticating-soap-requests.html

They are based on the method HTTP Basic Authentication.

I don’t recommend using custom HTTP headers, because in the past browsers didn’t accept, and whenever someone needed to access yours webservice, you will need to write a much larger manual to understand exactly which is the correct mode. I prefer to use cookies, their behavior is standardized.

Some prefer to use HTTP Basic Authentication, it is also valid.

It’s been a while since I worked with SOAP, at that time, the ideal would be to use SAML and WS-Security. Not that I recommend it, just to let you know that it’s also an option. In a way, it’s a beautiful family of specifications. Most developers abandoned SOAP to use REST, the cause of it is a mystery ;)

  • Thanks for the tips! I edited the question putting the code I used in the requests made by the 'customers'. With Angular Soap, I had already done as you suggested, including, I apologize because it should be in the explanation of the doubt from the beginning. The use of Soap and not REST is due to the very specification of the project that was passed to me, as it should be implemented with Soap + wsdl.

Browser other questions tagged java web-service authentication wsdl

You are not signed in. Login or sign up in order to post.