wood burning stoves
The moose likes Web Services and the fly likes Java Standard Edition & Web service security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Java Standard Edition & Web service security" Watch "Java Standard Edition & Web service security" New topic

Java Standard Edition & Web service security

Derick Potgieter
Ranch Hand

Joined: Feb 19, 2004
Posts: 53
Hi All,

I need some help.

I have a web service running in Standard Edition 1.6 on a server. There isn`t a full app server nor is it required except for exposing some functionality.
I decided to use the built in web service container in 1.6 and this is running quite flawlessly. The problem is security, i`m not even sure how to implement it nor if it is possible in 1.6.

Any ideas or someone who has done this before? I need some kind of auth based roles or user/pass access?

I`m a bit new to this so please bear with me.


Peer Reynders

Joined: Aug 19, 2005
Posts: 2933
The JDK 6 uses the Lightweight HttpServer API and Lightweight HttpServer SPI. The com.sun.net.httpserver.HttpServer also comes in a SSL version com.sun.net.httpserver.HttpsServer so it is possible to secure the transport layer to protect the information being exchanged from prying eyes. The server gives you access to the com.sun.net.httpserver.HttpContext. On the HttpContext you can set an com.sun.net.httpserver.Authenticator. The JDK 6 also includes a com.sun.net.httpserver.BasicAuthenticator which can be used for HTTP Basic Authentication (user,password,realm) that you can extend to check your own user database. Once a user is successfully authenticated you can create a com.sun.net.httpserver.HttpPrincipal which you return inside a com.sun.net.httpserver.Authenticator.Success instance. Hopefully that will set up the retrieval of the principal in the web service implementation. Inside the web service implementation inject the javax.xml.ws.WebServiceContext (see A little bit about Message Context in JAX-WS) and use getUserPrincipal() to retrieve the principal.

Now there is one real problem with all of the above - all the security measures are HTTP based. Web service security measures are supposed to be XML and SOAP based. The JAX-WS RI doesn't support WS-Security out of the box and needs at least the XWSS, possibly even the WSIT extension which I doubt will work on the Lightweight HttpServer - you'll probably have to go with a container like Tomcat or better.
I agree. Here's the link: http://aspose.com/file-tools
subject: Java Standard Edition & Web service security
jQuery in Action, 3rd edition