验证JAX-WS Web服务中的凭证

Question

I'd like to validate user and password values in a Java webservice operation. Credentials have to be in a database, but to avoid calling multiple times to this layer I have a cache. I've been thinking to use a Filter ( http://viralpatel.net/blogs/tutorial-java-servlet-filter-example-using-eclipse-apache-tomcat/ ) and map this filter to the servlet that acts as the endpoint, but this way all operations from my endpoint will have to use this filter. What if one operation has not to be authenticated?

I've found that in the example at http://docs.oracle.com/cd/E19226-01/820-7627/bnccv/index.html the following is used in web.xml :

<auth-constraint>
    <role-name>SomeName</role-name>
</auth-constraint>

I can authenticate using roles but users have to be added in application server and I don't want that.

What is the best option?

Thanks

Answer 1

One option is using HTTP headers where you can send parameters like username and password. Using the webservicecontext you can access to HTTP_REQUEST_HEADERS.

@Resource
WebServiceContext wsctx;

@Override
public String callOperation() {

MessageContext mctx = wsctx.getMessageContext();

//get detail from request headers
    Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
    List userList = (List) http_headers.get("Username");
    List passList = (List) http_headers.get("Password");


    String username = "";
    String password = "";
    // do whatever you want with user and password

Hope this helps to other people.