1

I have developed a webservices using spring+ XSD+ Payload. I have a requirement of authenticating the request header with username and password coming in SOAP request header which i achieved with SOAPUI

I m able to generate the below header in the request

   <soapenv:Envelope xmlns:jaxb="http://jaxb.miws.sg.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
   <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd" 
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsse:UsernameToken wsu:Id="UsernameToken-C3092BFBAE5B212E93144378035575013">
   <wsse:Username>User</wsse:Username>
   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
   <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">CT1Fyo/g2WMaadE52bsnkg==           </wsse:Nonce>
   <wsu:Created>2015-10-02T10:05:55.750Z</wsu:Created>
   </wsse:UsernameToken>
   </wsse:Security>
   </soapenv:Header>

Now i want to validate the header elements for userName and Password.

Ex:

Case 1: userName=User and Password=test //Authentication passed and give response Success

Case 2: userName=User1 and Password=test1 //Authentication failed and give response Failure

Please help me to provide the suitable samples to achieve same.

haja
  • 135
  • 1
  • 4
  • 12

2 Answers2

0

Handlers in SOAP webservices (similar to Interceptors/Filters) can be used for the authentication purpose on the server side and then chaining the request further. Please have a look at SOAPHandler to parse the header information from the payload and authenticating the username/password. SOAP Handler at Server Side

Saurav
  • 118
  • 9
0

Here are some steps to do that:

  1. Implement a SOAPHandler class by writing a custom handleMessage method.
  2. Within the handleMessage method, evaluate the context's MESSAGE_OUTBOUND_PROPERTY. If it is false (meaning it is an inbound message), then write code that introspects the context.getMessage(). There you can evaluate the MIME headers, the security headers & tokens and the body, to determine if you need to reject the authentication credential. If you do, return false at the end of the method.
  3. Add the SoapHander you created to the service's Handler chain.

Example of a SOAPHandler: 

public class MyCustomSoapHandler implements SOAPHandler<SOAPMessageContext>
{
  public Set<QName> getHeaders()
  {
    return Collections.emptySet();
  }

  public boolean handleMessage(SOAPMessageContext messageContext)
  {
     Boolean outboundProperty = (Boolean)
         messageContext.get (MessageContext.MESSAGE_OUTBOUND_PROPERTY);

     if (outboundProperty.booleanValue()) {
         //This is for handling messages going out of the conduit
     } else {
         //Here is where you want to authenticate
     }

     return true; //return false if do not want to proceed to the next handler in the chain
  }

  public boolean handleFault(SOAPMessageContext messageContext)
  {
    return true;
  }
   public void close(MessageContext messageContext)
  {
}

Here a starter template for your SOAPHandler that you need to add to your Service's handlerChain: 

@WebService(name = "Handler", targetNamespace = "http://example.org")
@HandlerChain(file="handler-chain.xml")
public class HandlerWS
{
  @Resource
  WebServiceContext ctx;
  @WebMethod()
  public String getProperty(String propertyName)
  {
    return (String) ctx.getMessageContext().get(propertyName);
  }
}

You'll also need to add the handler-chain.xml to your classpath:

examples.webservices.handler.Handler1 examples.webservices.handler.Handler2

For a complete guide, see Oracle's guide to creating SOAPHandlers

cosbor11
  • 14,709
  • 10
  • 54
  • 69