Java – How to add Basic authentication in Apache Axis Web Service (SOAP)

axisbasic-authenticationjavamavensoap

I use a Maven plugin (org.codehaus.mojo > axistools-maven-plugin) + a WSDL file to generate a Soap Web Service.

Genarated files in target/generated-source/wsdl2java/com.comp.proj are:

Foo.java (java interface)
FooServiceLocator.java
FooSoapBindingImpl.java (java empty implementation)
FooSoapBindingSkeleton.java
FooSoapBindingStub.java

In my project, i create FooSoapBindingImpl.java in a package with the same name + add my custom code in this java implementation.

This Web services is ready for use in production.

So, today I add Basic authentication on my client (header => Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==)

How to add a check on this Basic authentication in my Axis Web Service?

Best Answer

The "Axis security section 'Authenticating the caller'" mentions:

Clients can authenticate themselves with client certificates, or HTTP basic authentication.
The latter is too weak to be trustable on a non-encrypted channel, but works over HTTPS.

The MessageContext class will be configured with the username and password of the sender when SOAP messages are posted to the endpoint;*

See an example here.

use the appropriate getters to see these values. Note that Axis does not yet integrate with the servlet API authentication stuff.

See a getter example in this answer.

Tracking it down

At first I thought this was a coercion bug where null was getting coerced to "null" and a test of "null" == null was passing. It's not. I was close, but so very, very wrong. Sorry about that!

I've since done lots of fiddling on wonderfl.net and tracing through the code in mx.rpc.xml.*. At line 1795 of XMLEncoder (in the 3.5 source), in setValue, all of the XMLEncoding boils down to

currentChild.appendChild(xmlSpecialCharsFilter(Object(value)));

which is essentially the same as:

currentChild.appendChild("null");

This code, according to my original fiddle, returns an empty XML element. But why?

Cause

According to commenter Justin Mclean on bug report FLEX-33664, the following is the culprit (see last two tests in my fiddle which verify this):

var thisIsNotNull:XML = <root>null</root>;
if(thisIsNotNull == null){
    // always branches here, as (thisIsNotNull == null) strangely returns true
    // despite the fact that thisIsNotNull is a valid instance of type XML
}

When currentChild.appendChild is passed the string "null", it first converts it to a root XML element with text null, and then tests that element against the null literal. This is a weak equality test, so either the XML containing null is coerced to the null type, or the null type is coerced to a root xml element containing the string "null", and the test passes where it arguably should fail. One fix might be to always use strict equality tests when checking XML (or anything, really) for "nullness."

Solution

The only reasonable workaround I can think of, short of fixing this bug in every damn version of ActionScript, is to test fields for "null" and escape them as CDATA values.

CDATA values are the most appropriate way to mutate an entire text value that would otherwise cause encoding/decoding problems. Hex encoding, for instance, is meant for individual characters. CDATA values are preferred when you're escaping the entire text of an element. The biggest reason for this is that it maintains human readability.

Best Answer

Related Solutions

C# – How to add custom Http Header for C# Web Service Client consuming Axis 1.4 Web service

Actionscript – How to pass “Null” (a real surname!) to a SOAP web service in ActionScript 3

Tracking it down

Cause

Solution

Related Topic