Web Service Security: Three Steps
By Geertjan on Jun 18, 2005
- Configure a security realm on the Sun Java System Application Server. (Or on whatever J2EE 1.4 application server you use for deployment. No, Tomcat is not a J2EE 1.4 application server.) For the SJS Application Server, you need to start it and then right-click its node in the IDE's Runtime window and choose View Admin Console. Under Configuration > Security > Realms > file, you can add the user ID and password:
Next, add a security role mapping to the server's server-specific deployment descriptor (at least, this is necessary for the SJS Application Server):
<security-role-mapping> <role-name>doing-important-things</role-name> <principal-name>very-high-up-guy</principal-name> </security-role-mapping>
- Add a security constraint, log-in configuration, and security role to the web service's web.xml (i.e., its deployment descriptor):
<security-constraint> <web-resource-collection> <web-resource-name>Web Service Security Resource</web-resource-name> <url-pattern>/Hello</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>doing-important-things</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <description>Big Bosses</description> <role-name>doing-important-things</role-name> </security-role>
- security-constraint. Limits access to the resources defined in a web-resource-collection.
- login-config. Specifies the method used to authenticate the user, where BASIC (which is the default setting) uses browser authentication.
- security-role. The role name must have a corresponding entry in the server-specific file, which maps roles to principals in the security realm defined on the server.
- Add two lines to the main method of the static-stub client (as described in the J2EE Tutorial's Example: Basic Authentication with JAX-RPC section):
stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, "very-high-up-guy"); stub._setProperty(javax.xml.rpc.Stub.PASSWORD_PROPERTY, "abcde");
There are other (and better) ways of setting security from the client side, but this is the simplest scenario.
Now run the web service. The first time you do this, the server should prompt you for the user name and password. And then, once it's succesfully launched, run the client. A little password dialog box appears where you can type in the username and password:
Everything should now be well with the world -- if you type in the correct username and password and click OK... Bob's your father's brother and the static-stub client will have successfully made access to the web service.