Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Add HTTP basic authentication to SOAP web service.

former_member829292
Explorer

on ‎2019 Sep 05 10:52 AM

0 Likes
1,468

Hello there, I have been working on a SOAP web service which I implemented using Spring WS libraries and I want to secure it through the use of basic http authorization in order to not allow everyone to consume it. I have accomplished to protect the url by adding this to the web.xml file:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Email webservice</web-resource-name>
        <url-pattern>/ws/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>manager</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-role>
    <role-name>manager</role-name>
</security-role>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

When I try to access the url /ws/* an authorization pop-up is shown. The problem is I don't know how to configure a user, so the pop-up keeps showing and nobody can consume the web service. I've tried to add a tomcat user by modifying the tomcat-users.xml file with the following code but still doesn't work:

<role rolename="manager"/>
<user username="admin" password="nimda" roles="manager"/>

Any suggestion would be appreciated, even another way to implement this security feature. I have been reading about OAuth2 but I've come to the conclusion that it is oriented to REST web services. Thank you in advance.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member829292
Explorer
‎2019 Sep 06 8:40 AM
0 Likes

Hi again,

I just found the solution and I would like to share it with you in case someone was in the same situation.

The problem was that I wasn't in the right directory. You have to make sure that the server.xml and tomcat-users.xml files you are editing are placed in platform/tomcat/conf. If the last one doesn't exist just create it and make sure to wrap the role and the user with the <tomcat-users> tag. You also have to modify the server.xml in order to add the realm, which is kind of a database that stores the users you define in the tomcat-users.xml file.

Include this resource inside the <GlobalNamingResources> tag:

<Resource name="UserDatabase" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml"/>

And this realm inside the <Engine> tag:

<Realm className="org.apache.catalina.realm.LockOutRealm">
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
</Realm>

Restart the server and you should be able to consume the resources using the credentials.

Show replies
Show replies
Ask a Question