WEB Services Security-HTTP Basic authentication

According to RFC2617, HTTP has two standard authentication methods, BASIC and DIGEST. HTTP Basic authentication means that the client must use the username and password to obtain authentication in a specified domain (REALM).

As the name "HTTP Basic Authentication", it is the simplest method of authentication (authentication). This kind of authentication method has been widely used for a long time. When you use the HTTP protocol to access a resource protected with Basic authentication, the server typically adds a "401 Authentication required" Header to the HTTP request's Response to inform the customer to provide the user credentials to use the resource. If you are using a visual browser such as Internet Explorer or Mozilla Firefox to access resources that require authentication, the browser pops up a window that lets you enter a user name and password, if the user name entered is in the resource consumer's validation list, and the password is completely correct , users can access restricted resources at this time.

HTTP Basic Authentication Introduction

The basic process of HTTP Basic authentication is shown in 1,

Figure 1. Basic HTTP Authentication Process

HTTP Basic Authentication is a client that uses a user name and password to obtain authentication in a specified domain (REALM) when accessing a restricted resource using the HTTP protocol. Before we begin, we need to understand the meanings of the following nouns:

1. authentication, i.e. authentication, authentication. It is a confirmation process through which you can determine whether an object is the object it claims to be. This usually involves a user name and password, or it may be a proof of identity, or biometric features such as the retina.
2. Realm, or domain. A Realm is a "database" of usernames and passwords that are typically used to hold and identify users and passwords that are valid in one or some Web applications. It also defines the roles for each valid user.

This article describes how to use HTTP BASIC authentication to protect Web Services endpoint Service resources when the endpoints of Web services is set to a restricted resource that is accessible by basic HTTP authentication , the user must provide a user name password to use them, as shown in basic Process 2.

Figure 2. Web Services Client Access restricted Web Services service process

To configure the Basic authentication for the WEB application:

2. Open the "conf" folder under the Tomcat installation directory and modify the file "Tomcat-users.xml", which is the user and role definition used to store tomcat preload, which is the Realm mentioned above. Include the following users and roles in <tomcat-users>: Listing 2. Define users and their roles

     <!--Web Services invoker Role--   <role rolename= "Wsinvokerrole"/>     <!--Web Services invokers/ Users--   <user username= "Wsaxis" password= "Wsaxis" roles= "Wsinvokerrole"/>

3. Open the deployment descriptor for the Web app "Tomcataxis": XML file and add the following fragment to "<web-app>": Listing 3. Configuring Security Resources

     <!--configurations for BASIC authentication--   <security-constraint>     < web-resource-collection>       <web-resource-name>all Web Services endpoints</web-resource-name>       <url-pattern>/services/*</url-pattern>     </web-resource-collection>         < auth-constraint>       <description>web Services invokers is allowed doing invocation</description>       <role-name>WsInvokerRole</role-name>     </auth-constraint>   </ Security-constraint>     <!--authentication Method--   <login-config>     <auth-method >BASIC</auth-method>     <realm-name>realm of Web services invokers</realm-name>   </ Login-config>

   Within the "<security-constraint>" fragment, define the resources that need to be protected by the Web application, and "<url-pattern>" to define the resources that conform to a certain URL style, the definition of the above fragment, Protects the endpoints of all WEB services.

   The "<login-config>" fragment defines the Basic authentication method, where "<realm-name>" is only valid in Basic authentication mode, which assigns the security realm name, which is used by the browser for the dialog box title and Authorization part of the head.

Static Call class

Package sample.test.client.runable;  Import Java.net.URL;  Import Sample.test.ServiceImplServiceLocator;  Import sample.test.ServiceImplSoapBindingStub;  public class Staticclienttest {public   static void Main (string[] args) {     try {     //String userName = "Wsaxis", Password = "Wsaxis";       int addend = Augend =;       Serviceimplsoapbindingstub Sisbs = new Serviceimplsoapbindingstub (           the new URL (  "http://localhost:8080/ Tomcataxis/services/serviceimpl "),           new Serviceimplservicelocator ());     Sisbs.setusername (userName);   Sisbs.setpassword (password);       System.out           . println ("Static Client invocation:\n\tthe summation is:"              + sisbs.sum (addend, Augend));     } catch (Exception e) {       e.printstacktrace ();}}  }

　　

Dynamic invocation of test code

 Package sample.test.client.runable;  Import Javax.xml.namespace.QName;  Import Javax.xml.rpc.Call;  Import Javax.xml.rpc.ParameterMode;  Import Javax.xml.rpc.Service;  Import Javax.xml.rpc.ServiceFactory; public class Dynamicclienttest {public static void main (string[] args) {try {String address = "http://local       Host:8080/tomcataxis/services/serviceimpl ";       String NamespaceURI = "Http://test.sample";       String serviceName = "Serviceimplservice";       String portname = "Serviceimpl";       String OperationName = "sum";       String userName = "Wsaxis", password = "Wsaxis";       int addend = Augend = 128;       Servicefactory factory = Servicefactory.newinstance ();       Service service = Factory.createservice (new QName (ServiceName));       Call call = Service.createcall (new QName (PortName));       Call.settargetendpointaddress (address);       QName intqname = new QName ("Http://www.w3.org/2001/XMLSchema", "int"); Call.setoperationname (New QName (NamespaceuRI, OperationName));       Call.addparameter ("Addend", Intqname, parametermode.in);       Call.addparameter ("Augend", Intqname, parametermode.in);       Call.setreturntype (Intqname);       Call.setproperty (Call.username_property, USERNAME);       Call.setproperty (Call.password_property, PASSWORD);       object[] Inparams = new object[2];       Inparams[0] = new Integer (addend);       INPARAMS[1] = new Integer (augend);       int value = ((Integer) Call.invoke (Inparams)). Intvalue ();     System.out.println ("Dynamic Client invocation:\n\tthe summation is:" + value);     } catch (Exception e) {e.printstacktrace (); }   }  }

　　

WEB Services Security-HTTP Basic authentication