aspose file tools*
The moose likes Web Services and the fly likes Java Standard Edition & Web service security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Java Standard Edition & Web service security" Watch "Java Standard Edition & Web service security" New topic
Author

Java Standard Edition & Web service security

Derick Potgieter
Ranch Hand

Joined: Feb 19, 2004
Posts: 53
Hi All,

I need some help.

I have a web service running in Standard Edition 1.6 on a server. There isn`t a full app server nor is it required except for exposing some functionality.
I decided to use the built in web service container in 1.6 and this is running quite flawlessly. The problem is security, i`m not even sure how to implement it nor if it is possible in 1.6.

Any ideas or someone who has done this before? I need some kind of auth based roles or user/pass access?

I`m a bit new to this so please bear with me.

Rgds
Derick


SCJP, SCJD, SCWCD, SCBCD (JEE)
Peer Reynders
Bartender

Joined: Aug 19, 2005
Posts: 2906
The JDK 6 uses the Lightweight HttpServer API and Lightweight HttpServer SPI. The com.sun.net.httpserver.HttpServer also comes in a SSL version com.sun.net.httpserver.HttpsServer so it is possible to secure the transport layer to protect the information being exchanged from prying eyes. The server gives you access to the com.sun.net.httpserver.HttpContext. On the HttpContext you can set an com.sun.net.httpserver.Authenticator. The JDK 6 also includes a com.sun.net.httpserver.BasicAuthenticator which can be used for HTTP Basic Authentication (user,password,realm) that you can extend to check your own user database. Once a user is successfully authenticated you can create a com.sun.net.httpserver.HttpPrincipal which you return inside a com.sun.net.httpserver.Authenticator.Success instance. Hopefully that will set up the retrieval of the principal in the web service implementation. Inside the web service implementation inject the javax.xml.ws.WebServiceContext (see A little bit about Message Context in JAX-WS) and use getUserPrincipal() to retrieve the principal.

Now there is one real problem with all of the above - all the security measures are HTTP based. Web service security measures are supposed to be XML and SOAP based. The JAX-WS RI doesn't support WS-Security out of the box and needs at least the XWSS, possibly even the WSIT extension which I doubt will work on the Lightweight HttpServer - you'll probably have to go with a container like Tomcat or better.


"Don't succumb to the false authority of a tool or model. There is no substitute for thinking."
Andy Hunt, Pragmatic Thinking & Learning: Refactor Your Wetware p.41
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java Standard Edition & Web service security
 
Similar Threads
Is Sun App Server a good solution for a commercial enterprise product?
some questions
J2SE and J2EE
Component Based Gateways
easiest way to do this web service ?