using user name and password in a webservice call

Question

I am writing java web services that need to accept user name and password from the caller for internal authentication before prviding the response. What is the standard way (or best practice) to do that? is it in the SOAP header or should it be supplied as one of the message parameters? where can I find code examples for that? Thank you.

Answer 1

Username and password are generally sent as parts in the http headers.JAX-WS provides constants USERNAME_PROPERTY and PASSWORD_PROPERTY for easy handling of these properties on the server.You will have to write a http handler for accessing these values.

void authenticate(HttpExchange ex){
  Headers headers = ex.getRequestHeaders();
 headers.get(BindingProvider.USERNAME_PROPERTY)
 headers.get(BindingProvider.PASSWORD_PROPERTY)
}

Call this method from the public void handle(HttpExchange ex) method of your Httphandler.

Answer 2

I like the java5 EE tutorials for these kinds of things, there are code samples and links to resources. http://download.oracle.com/javaee/5/tutorial/doc/bncbx.html

Another really good website for the security side of things in more depth is: OWasp at: https://www.owasp.org/index.php/Main_Page They are the experts in web security IMHO. We used their api's at a bank I worked at recently.

HTH, James

Answer 3

The standard way for providing username and passwords is using WS-Security, which provides security information in the SOAP header:

<SOAP-ENV:Header>
  <wsse:Security SOAP-ENV:mustUnderstand="1"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:UsernameToken 
      wsu:Id="UsernameToken-29477163"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:Username>username</wsse:Username>
      <wsse:Password>verySecret</wsse:Password>
    </wsse:UsernameToken>
  </wsse:Security>
</SOAP-ENV:Header>

WSS4J implements the WS-Security headers for Java.