User authentication in SOAP Webservices

by

JAAS does not define how the authentication information should look like in SOAP, but WS-Security defines what kind of standardized tokens you can use during client-server exchange (Username+password token / X.509 certificate / SAML token / Kerberos Token).

EDIT: With respect to Metro WebService stack, you need (steps taken from here and here):

  • Inject the handler, that implements javax.xml.ws.handler.soap.SOAPHandler to JAX-WS handler chain either programmatically via ((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler)) or declaratively by adding @HandlerChain(file = "handlers.xml") annotation to your WS endpoint interface.
  • The handler should create XWSSProcessor instance using XWSSProcessorFactory, which is passed the callback handler that implements javax.security.auth.callback.CallbackHandler.
  • The callback handler e.g. defines a validator on callback (depends on callback type).

This is the same as “doing by hand” (as the 1st step is to intersect the SOAP message anyway), with some WSS sugar on top. But WSIT (and CXF) use JAAS API and they provide standard implementations for various authentication tokens. Enabling them needs some configuration / coding efforts, but the benefit is that if you later decide to switch from plainttext to Kerberos authentication, you don’t need to code a lot. Also “doing by hand” means that you need to deal with authentication information on XML level and what you’ll do is implementing one of the standards.

I suggest using Apache CXF that bases on WSS4J – the WS-Security implementation from Apache. You can easily find tutorials (e.g. here and here for Username+password, here and here for SAML) that show to define callback / interceptors to verify authentication information. The advantage of CXF is that it has nice integration with Spring.

More Related Contents:

  1. How to do a SOAP Web Service call from Java class?
  2. How do I set the timeout for a JAX-WS webservice client?
  3. Getting Raw XML From SOAPMessage in Java
  4. How can I use an HTTP proxy for a JAX-WS request without setting a system-wide property?
  5. How to call a SOAP web service on Android [closed]
  6. Working Soap client example
  7. Tracing XML request/responses with JAX-WS
  8. How to change webservice url endpoint?
  9. Java Webservice Client (Best way)
  10. SSLHandshakeException: No subject alternative names present
  11. Unable to create JAXBContext creating my wsdl
  12. JAX-WS client : what’s the correct path to access the local WSDL?
  13. java: Rpc/encoded wsdls are not supported in JAXWS 2.0
  14. JAX-WS = When Apache CXF is installed it “steals” default JDK JAX-WS implementation, how to solve?
  15. JAX-WS – Map Exceptions to faults
  16. How to send a SOAP request using WebServiceTemplate?
  17. Changing the default XML namespace prefix generated with JAXWS
  18. How to make generated classes contain Javadoc from XML Schema documentation
  19. Java 11 package javax.xml.soap does not exist [duplicate]
  20. RESTful webservice : how to set headers in java to accept XMLHttpRequest allowed by Access-Control-Allow-Origin
  21. CXF 2.4.2: No conduit initiator was found for the namespace http://schemas.xmlsoap.org/soap/http
  22. JAXB unmarshall with namespaces and prefix
  23. How can I access the ServletContext from within a JAX-WS web service?
  24. Add SoapHeader to org.springframework.ws.WebServiceMessage
  25. JAX-WS vs. JAX-RPC
  26. Publishing a WS with Jax-WS Endpoint
  27. Java: using endpoint to publish webservice to tomcat server
  28. Singleton Object in Java Web service
  29. Simply consuming a web service in Java
  30. Main differences between SOAP and RESTful web services in Java [duplicate]

Leave a Comment