JAX-WS basic authentication using realm

Question

I have a jax-ws web service and I'm using basic authentication. I'll show you the 2 snippets of code that matters first in my problem. Web service method

@WebMethod(operationName = "createBook")
public String createBook(@WebParam(name = "name") Book entity) 
{
    Logger LOG = Logger.getLogger(Bookservice.class.getName());
    LOG.log(Level.INFO, secure_ctx.getUserPrincipal().getName()); 

Web service client

private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {                                         
    // TODO add your handling code here:
    Soapservice ss = new Soapservice();
    Bookservice bs = ss.getBookservicePort();
    //com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true;
    //client.addFilter(new LoggingFilter());
    try 
    {
        System.setProperty("javax.xml.bind.JAXBContext", "com.sun.xml.internal.bind.v2.ContextFactory");
        BindingProvider bind_provider = (BindingProvider) bs; 
        bind_provider .getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "tom");
        bind_provider .getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "jones");
        this.jTextField1.setText(bs.createBook(null));
    } catch (Exception e) 
    {
        java.util.logging.Logger LOG = java.util.logging.Logger.getLogger(testframe.class.getName());
        LOG.log(Level.SEVERE, null, e);
    }

The authentication doesn't work with correct login details or not. Also the server log produces the correct principal name sometimes, but when it does and I change the username, "admin" comes up. When I change it back to the original username the server log remains "admin". I used this mechanism in a rest service using jersey and no problems.

Does anyone know if this is to do with not having a servlet adapter mapping in my web.xml?

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
    <session-timeout>
        30
    </session-timeout>
</session-config>
<security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
        <web-resource-name>soapservice</web-resource-name>
        <description/>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Access to book services</description>
        <role-name>administrator</role-name>
        <role-name>developer</role-name>
        <role-name>manager</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>jdbcr</realm-name>
</login-config>
<security-role>
    <description>Has complete priviligies on access to soap api</description>
    <role-name>administrator</role-name>
</security-role>
<security-role>
    <description>Develops applications using soap api, has certain priviligies</description>
    <role-name>developer</role-name>
</security-role>
<security-role>
    <description>Has access to users and their role priviligies</description>
    <role-name>manager</role-name>
</security-role>
</web-app>

My log output changes in run time, makes no sense. INFO: david INFO: david INFO: admin INFO: admin INFO: admin

David is a correct user, I dont know where admin came from??

Answer 1

You should have a servlet mapping in the web.xml based on the web service engine you are using. For example, I use the Metro stack on tomcat and have the following web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<listener>
    <listener-class>com.sun.xml.ws.transport.http.servlet.WSServletContextListener</listener-class>
</listener>
<servlet>
    <servlet-name>CallNotificationService</servlet-name>
    <servlet-class>com.sun.xml.ws.transport.http.servlet.WSServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>CallNotificationService</servlet-name>
    <url-pattern>/CallNotificationService</url-pattern>
</servlet-mapping>
<session-config>
    <session-timeout>
        30
    </session-timeout>
</session-config>
</web-app>

You need to let the container know who is processing the incoming request. However, this will not solve an authentication issue. Are you sure it is an authentication issue and not just a configuration problem on the server?