Skip to main content

Basic HTTP Authentication for REST Web Service

Basic HTTP authentication solve following security problems.
  • Get username and password from http request
  • Fetch the applicable method security details
  • Verify if user is authorized to access the API
  • Return valid error codes in case of invalid access
In this tutorial, we show you how to develop a simple RESTfull web service application with HTTP basic authentication using Cuubez framwork.
Technologies and Tools used in this article:
  1. cuubez 1.1.1
  2. JDK 1.6
  3. Tomcat 6.0
  4. Maven 3.0.3
  5. Intellij IDEA 13.1.1
Note: If you want to know what and how REST works, just search on Google, ton of available resources.


1. Directory Structure

This is the final web project structure of this tutorial.


2. Standard Web Project

Create a standard Maven web project structure.

 mvn archetype:generate -DgroupId=com.cuubez -DartifactId=basic_authentication -DarchetypeArtifactId=maven-archetype-webapp -DinteractiveMode=false  
Note: To support IntelliJ IDEA, use Maven command :
mvn idea:idea


3. Project Dependencies

Cuubez is published in Maven repository. To develop cuubez REST application , just declares “cuubez-core” in Maven pom.xml.
File : pom.xml


 <dependency>  
   <groupId>com.cuubez</groupId>  
   <artifactId>cuubez-core</artifactId>  
   <version>1.1.1</version>  
  </dependency>  


4. REST Service

Simple REST service with basic HTTP authentication annotations.
  • @PermitAll: Specifies that all security roles are allowed to invoke the specified method(s)
  • @RolesAllowed: Specifies the list of roles permitted to access method(s)
  • @DenyAll: Specifies that no security roles are allowed to invoke the specified method(s)
 @Path("/users/{userId}")  
 @Produces(MediaType.APPLICATION_JSON)  
 public class UserResource {  
   private static Log log = LogFactory.getLog(UserResource.class);  
   @PermitAll  
   @GET  
   @Produces(MediaType.APPLICATION_JSON)  
   public Response userGet(@HeaderParam(value = "name") String name, @PathParam(value = "userId") String id, @QueryParam(value = "age") Double age) {  
     User user = new User(id, age, name);  
     return Response.ok().entity(user).build();  
   }  
   @RolesAllowed("ADMIN")  
   @Consumes(MediaType.APPLICATION_JSON)  
   @POST  
   public void userPost(User user) {  
     log.info("POST = [" + user + "]");  
   }  
   @DenyAll  
   @PUT  
   @Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})  
   public void userPut(User user) {  
     log.info("PUT = [" + user + "]");  
   }  
 }  


5. Authentication filter

The security interceptor is build by implementing com.cuubez.core.Interceptor.RequestInterceptor interface. This interface has one method which need to implement.

 @Provider  
 public class AuthenticationFilter implements RequestInterceptor {  
   private final InterceptorResponseContext ACCESS_FORBIDDEN = new InterceptorResponseContext("No access", HttpServletResponse.SC_FORBIDDEN);  
   public InterceptorResponseContext process(InterceptorRequestContext interceptorRequestContext) {  
     if (interceptorRequestContext.isAnnotationContain(DenyAll.class)) {  
       return ACCESS_FORBIDDEN; //Return access denied to user  
     } else if (interceptorRequestContext.isAnnotationContain(PermitAll.class)) {  
       return null; //Return null to continue request processing  
     } else if (interceptorRequestContext.isAnnotationContain(RolesAllowed.class)) {  
       //get encoded user name and password  
       String encodedUserName = interceptorRequestContext.getHeader("userName");  
       String encodedPassword = interceptorRequestContext.getHeader("password");  
       //decode user name and password  
       String decodedUserName = new String(Base64.decodeBase64(encodedUserName.getBytes()));  
       String decodedPassword = new String(Base64.decodeBase64(encodedPassword.getBytes()));  
       //get allowed user roles  
       String[] allowedRoles = ((RolesAllowed) interceptorRequestContext.getAnnotation(RolesAllowed.class)).value();  
       //Access userAccessor to retrieve user details(UserAccessor is not providing by framework, developer need to implement it according their requirement)  
       UserAccessor userAccessor = new UserAccessor();  
       String role = userAccessor.getUserRole(decodedUserName, decodedPassword);  
       if(isAllow(allowedRoles, role)) {  
         return null;  
       } else {  
         return ACCESS_FORBIDDEN;  
       }  
     }  
     return null;  
   }  
   private boolean isAllow(final String[] allowedRoles, final String userRole) {  
     for (String allRole : allowedRoles) {  
       if (allRole.equals(userRole)) {  
         return true;  
       }  
     }  
     return false;  
   }  
 }  
This interceptor mechanism provide full flexibility to developer.


6. web.xml

The ContextLoaderListner context listener has to be deployed in order to create the registry for cuubez ,while the ServiceInitiator servlet is used so that incoming requests are correctly routed to the appropriate services. We have configured the specific servlet, named “cuubez”, to intercept requests under the “/rest/” path.
File : web.xml

 <web-app>  
  <display-name>Employee Example</display-name>  
   <listener>  
     <listener-class>com.cuubez.core.servlet.BootstrapContextListener</listener-class>  
   </listener>  
   <servlet-mapping>  
    <servlet-name>init</servlet-name>  
    <url-pattern>/rest/*</url-pattern>  
   </servlet-mapping>  
   <servlet>  
    <servlet-name>init</servlet-name>  
    <servlet-class>com.cuubez.core.servlet.HttpServletDispatcher</servlet-class>  
   </servlet>  
 </web-app>  


7. Demo

In this example, web request from “projectURL/rest/users/{userId}” will match to “UserResource“, via @Path("/users/{userId}").

1. GET request

(GET resource annotated by @PermitAll annotation. Specifies that all security roles are allowed to invoke the specified method(s))

2. POST request

(POST request annotated by @RolesAllowed annotation. ADMIN role permitted to access method(s))
  • Forbidden request (Wrong encoded(Base64) user name and password passed as a header variables)
  • Successful request (Correct encoded(Base64) user name and password passed as a header variables)

3. PUT request

(PUT resource annotated by @DenyAll annotation. Specifies that no security roles are allowed to invoke the specified method(s))


8. Download

Download Basic Authentication Sample Application - Basic-Authentication.zip

Comments

Popular posts from this blog

How to enable proxy service security in ESB 4.9.0?

Security is  one of the major concern when we developing API base integrations or application developments. WSO2 supports WS Security , WS-Policy and WS-Security Policy specifications. These specifications define a behavior model for web services. Proxy service security requirements are different from each others. WSO2 ESB providing pre-define commonly used twenty security scenarios to choose based on the security requirements. This functionality is provided by the security management feature which is bundled by default in service management feature in ESB. This configuration can be done via the web console until ESB 4.8.1 release, but this has been removed from the ESB 4.9.0. Even though this feature isn't provided by the ESB web console itself same functionality can be achieved by the new WSO2 Dev Studio . WSO2 always motivate to use dev studio to prepare required artifacts to the ESB rather than the web console. Better way to explain this scenario is by example. Following...

How to preserving HTTP headers in WSO2 ESB 4.9.0 ?

Preserving HTTP headers are important when executing backend services via applications/middleware. This is because most of the time certain important headers are removed or modified by the applications/middleware which run the communication. The previous version of our WSO2 ESB, version 4.8.1, only supported “ server ” and “ user agent ” header fields to preserve with, but with the new ESB 4.9.0, we’ve introduced a new new property ( http.headers.preserve ) for the passthru ( repository/conf/ passthru-http.properties ) and Nhttp( repository/conf/ nhttp.properties ) transporters to preserve more HTTP headers. Passthru transporter – support header fields               Location Keep-Alive Content-Length Content-Type Date Server User-Agent Host Nhttp transport – support headers Server User-Agent Date You can specify header fields which should be preserved in a comma-separated list, as shown below. http.headers.p...

How SSL Tunneling working in the WSO2 ESB

This blog post assumes that the user who reads has some basic understanding of SSL tunneling and the basic message flow of the ESB. If you are not familiar with the concepts of the SSL tunneling you can refer my previous blog post about the SSL tunneling and you can get detail idea about the message flow from this article . I will give brief introduction about the targetHandler for understand concepts easily. As you may already know TargetHandler(TH) is responsible for handling requests and responses for the backend side. It is maintaining status (REQUEST_READY, RESPONSE_READY .. ,etc) based on the events which fired by the IOReactor and executing relevant methods. As the example if a response which is coming from the backend side hits to the ESB, IOReactor fire the responseRecived method in the targetHandler side. Followings are the basic methods contain in the target handler and their responsibilities. Connect: -  This is executed when new outgoing connection needed. ...