Container-Managed Security for Web Service
(Tomcat is the reference implementation, it can not only be used to published Restful web service as servlet, but also can publish SOAP-based web service.)
It provides not only user authentication but also wire-level security.
Securing the @WebService underTomcat
You should ensure that the Tomcat connector for SSL/TLS is enabled. Tomcat connector is an endpoint for client request. You need to update tomcat configuration file config/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" redirectPort="8443"
SSLEnabled="true" maxThreads="150" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/conf/server.keystore" keystorePass="123456" />
keystore and truststore, that have same format, client uses truststore to compare the certificate from Tomcat.
Client code to invoke web service.
public class Test {
public static final String END_POINT = "https://localhost:8443/WebServiceExample/tc?wsdl";
/**
* @param args
*/
public static void main(String[] args) {
TempConvertImplService port = new TempConvertImplService();
TempConvert service = port.getTempConvertImplPort();
//
Map<String, Object> req_ctx = ((BindingProvider)service).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, END_POINT);
//place username and password into header which a non-java client could do as well.
Map<String, List<String>> hdr = new HashMap<String, List<String>>();
hdr.put("Username", Collections.singletonList("localhost"));
hdr.put("Password", Collections.singletonList("123456tt"));
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, hdr);
System.out.println(service.c2F(12.f));
System.out.println(service.f2C(-40.1f));
}
}
在SEI中添加authenticated()进行Authentication
@WebService(endpointInterface="com.csc.ws.temp.TempConvert")
public class TempConvertImpl implements TempConvert {
@Resource
WebServiceContext ws_ctx;
@Override
public float c2f(float c) {
if (authenticated()) {
return 32.0f + (c * 9.0f/5.0f);
} else {
System.err.println("Authentication failure with exception ");
throw new HTTPException(401);
}
}
@Override
public float f2c(float c) {
if (authenticated()) {
return (5.0f/9.0f)*(c-32.0f);
} else {
System.err.println("Authentication failure with exception ");
throw new HTTPException(401);
}
}
private boolean authenticated(){
MessageContext mctx = ws_ctx.getMessageContext();
Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
List uList = (List) http_headers.get("Username");
List plist = (List) http_headers.get("Password");
if (uList.contains("localhost") && plist.contains("123456")) return true;
else return false;
}
}