Their are different ways to secure SOAP based webservices.
1. Username/Password
2. Timestamp
3. Encryption/ Decryption
4. Digital Signature
Among these the most common and easy type of security is username/password. This security is very similar to a web application having a login page at the start for Authentication.
Spring-ws provides API to do this kind of security.
Extending our example in the previous post to host a SOAP based webservice, here we apply username security
Following tag is needed to be added in *-servlet.xml.
Here XwsSecurityInterceptor is used as a interceptor to apply security. The Interceptor refers securityPolicy.xml mentioned below to apply security. The additional parameters used for security are mentioned in the callbackHandler bean tag.
securityPolicy.xml
The securityPolicy.xml below mentions that the request to the service should contain username/password parameters. If not then the response would be a FAULT
Once deployed the service can be tested using SOAP UI. The complete description is provided here.
For Web Service Introduction click here
Below are some posts that explain how to implement and test SOAP/REST Webservices
1. Username/Password
2. Timestamp
3. Encryption/ Decryption
4. Digital Signature
Among these the most common and easy type of security is username/password. This security is very similar to a web application having a login page at the start for Authentication.
Spring-ws provides API to do this kind of security.
Extending our example in the previous post to host a SOAP based webservice, here we apply username security
Following tag is needed to be added in *-servlet.xml.
<sws:interceptors>
<bean
class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor">
<property name="schema" value="/WEB-INF/login.xsd" />
<property name="validateRequest" value="true" />
<property name="validateResponse" value="true" />
</bean>
<bean
class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor">
</bean>
<bean
class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
<property name="policyConfiguration" value="/WEB-INF/securityPolicy.xml" />
<property name="callbackHandlers">
<list>
<!-- <ref bean="keyStoreHandler" /> -->
<ref bean="callbackHandler" />
</list>
</property>
</bean>
</sws:interceptors>
<bean id="callbackHandler"
class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler">
<property name="users">
<props>
<prop key="admin">secret</prop>
<prop key="clinetUser">pass</prop>
</props>
</property>
</bean>
Here XwsSecurityInterceptor is used as a interceptor to apply security. The Interceptor refers securityPolicy.xml mentioned below to apply security. The additional parameters used for security are mentioned in the callbackHandler bean tag.
securityPolicy.xml
The securityPolicy.xml below mentions that the request to the service should contain username/password parameters. If not then the response would be a FAULT
<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true" /> </xwss:SecurityConfiguration>
Once deployed the service can be tested using SOAP UI. The complete description is provided here.
For Web Service Introduction click here
Below are some posts that explain how to implement and test SOAP/REST Webservices
| Host | |
| SOAP | REST |
| JAX-WS | JAX-RS |
| Spring-ws | Spring-MVC-REST |
| Client | |
| SOAP | REST |
| JAX-WS(wsimport) | Google REST APP |
| SOAP UI | Apache REST |
