Container-Managed Security for Web Service
?
(Tomcat? is the reference implementation, it can not only be used to published Restful web service as servlet, but also can publish SOAP-based web service.)
It provides not only user authentication but also wire-level security.?
?
Securing the @WebService underTomcat
You should ensure that the Tomcat connector for SSL/TLS is enabled. Tomcat connector is an endpoint for client request. You need to update tomcat configuration file config/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" redirectPort="8443"
?? SSLEnabled="true" maxThreads="150" ?scheme="https"
?? secure="true" ?clientAuth="false"? sslProtocol="TLS" ??keystoreFile="/conf/server.keystore" keystorePass="123456" />
?
keystore and truststore, that have same format, client uses truststore to compare the certificate from Tomcat.
Client code to invoke web service.
public class Test {
????? public static final String END_POINT = "https://localhost:8443/WebServiceExample/tc?wsdl";
????? /**
????? ?* @param args
????? ?*/
????? public static void main(String[] args) {
??????????? TempConvertImplService port = new TempConvertImplService();
??????????? TempConvert service = port.getTempConvertImplPort();
???????????
??????????? //
??????????? Map<String, Object> req_ctx = ((BindingProvider)service).getRequestContext();
???????????
??????????? req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, END_POINT);
???????????
??????????? //place username and password into header which a non-java client could do as well.
??????????? Map<String, List<String>> hdr = new HashMap<String, List<String>>();
??????????? hdr.put("Username", Collections.singletonList("localhost"));
??????????? hdr.put("Password", Collections.singletonList("123456tt"));
??????????? req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, hdr);
???????????
??????????? System.out.println(service.c2F(12.f));
??????????? System.out.println(service.f2C(-40.1f));
????? }
?
}
在SEI中添加authenticated()进行Authentication
@WebService(endpointInterface="com.csc.ws.temp.TempConvert")
public class TempConvertImpl implements TempConvert {
????? @Resource
????? WebServiceContext ws_ctx;
?????
????? @Override
????? public float c2f(float c) {
??????????? if (authenticated()) {
????????????????? return 32.0f + (c * 9.0f/5.0f);
??????????? } else {
????????????????? System.err.println("Authentication failure with exception ");
????????????????? throw new HTTPException(401);
??????????? }
???????????
???????????
????? }
?
????? @Override
????? public float f2c(float c) {
??????????? if (authenticated()) {
????????????????? return (5.0f/9.0f)*(c-32.0f);
??????????? } else {
????????????????? System.err.println("Authentication failure with exception ");
????????????????? throw new HTTPException(401);
??????????? }
???????????
????? }
?????
????? private boolean authenticated(){
??????????? MessageContext mctx = ws_ctx.getMessageContext();
??????????? Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
???????????
??????????? List uList = (List) http_headers.get("Username");
??????????? List plist = (List) http_headers.get("Password");
???????????
??????????? if (uList.contains("localhost") && plist.contains("123456")) return true;
??????????? else return false;
????? }
?
}