User authentication in SOAP Webservices
Solution 1:
JAAS does not define how the authentication information should look like in SOAP, but WS-Security defines what kind of standardized tokens you can use during client-server exchange (Username+password token / X.509 certificate / SAML token / Kerberos Token).
EDIT: With respect to Metro WebService stack, you need (steps taken from here and here):
- Inject the handler, that implements
javax.xml.ws.handler.soap.SOAPHandler
to JAX-WS handler chain either programmatically via((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler))
or declaratively by adding@HandlerChain(file = "handlers.xml")
annotation to your WS endpoint interface. - The handler should create
XWSSProcessor
instance usingXWSSProcessorFactory
, which is passed the callback handler that implementsjavax.security.auth.callback.CallbackHandler
. - The callback handler e.g. defines a validator on callback (depends on callback type).
This is the same as "doing by hand" (as the 1st step is to intersect the SOAP message anyway), with some WSS sugar on top. But WSIT (and CXF) use JAAS API and they provide standard implementations for various authentication tokens. Enabling them needs some configuration / coding efforts, but the benefit is that if you later decide to switch from plainttext to Kerberos authentication, you don't need to code a lot. Also "doing by hand" means that you need to deal with authentication information on XML level and what you'll do is implementing one of the standards.
I suggest using Apache CXF that bases on WSS4J – the WS-Security implementation from Apache. You can easily find tutorials (e.g. here and here for Username+password, here and here for SAML) that show to define callback / interceptors to verify authentication information. The advantage of CXF is that it has nice integration with Spring.