The process of securing web services is similar to that of protecting a web URL, and we have seen two examples of that in previous sections. We specify <security-constraint> and <login-config> in web.xml. Let’s see how to protect the REST web service we developed in Chapter 9, Creating Web Services:
- Copy and import the CourseManagementREST and CourseManagementRESTClient projects from Chapter09 into the workspace for this chapter. As the names suggests, the first project is the REST service, and the second project is a standalone client application that calls the web service.
- Deploy the CourseManagementREST project in Tomcat (see the previous section for details on how to do this).
- Make sure the testGetCoursesJSON method is called from the main method in CourseManagementClient.java from the CourseManagementRESTClient project.
- Run the application (right-click on the file in Project Explorer and select Run As | Java Application), and verify that the service is working fine.
To secure the web service using basic authentication, add the following configuration in web.xml:
:<security-constraint>
<display-name>Admin resources</display-name>
<web-resource-collection>
<web-resource-name>admins</web-resource-name>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
With the above configuration, we are protecting any URL containing /services/. We have also specified that only the admin role can access this URL and the method of authentication is BASIC.
Now, add the <Realm> configuration in server.xml of Tomcat, as described in the previous section. If you run CourseManagementClient.java at this point, you will get an Unauthorized error. This is because the client application is not sending the authentication information—that is, the username and password—along with the GET request. For the basic authentication method, this information should be passed in the authorization header. The value of this header parameter should be set as Basic, followed by the base64-encoded username:password string; for example, authorization: Basic dXNlcjE6dXNlcjFfcGFzcw==.
In the preceding header, dXNlcjE6dXNlcjFfcGFzcw== is the base64-encoded format of the user1:user1_pass string.
Let's now modify the testGetCoursesJSON method in CourseManagementClient.java to pass the preceding header information. Here is the code you need to add just before checking the response status:
String userName = "user1";
String password = "user1_pass";
String authString = userName + ":" + password;
String encodedAuthStr = Base64.getEncoder().encodeToString(authString.getBytes());
//Execute HTTP get method
Response response = webTarget.request(MediaType.APPLICATION_JSON).header(HttpHeaders.AUTHORIZATION, "Basic " + encodedAuthStr).get();
Note that java.util.Base64 is available in JDK 1.8 onward. If you are using a version lower than 1.8, you can use org.apache.commons.codec.binary.Base64 from Apache commons-codec. Add the following dependency in pom.xml:
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.11</version>
</dependency>
Right-click on the project and select Run As | Maven Install. Then, encode String by calling:
encodedAuthStr = new String(org.apache.commons.codec.binary.Base64.encodeBase64(authString.getBytes()));
When you run the application now, the web service should execute without any errors.