Skip to main content

Basic HTTP Authentication for REST Web Service

Basic HTTP authentication solve following security problems.
  • Get username and password from http request
  • Fetch the applicable method security details
  • Verify if user is authorized to access the API
  • Return valid error codes in case of invalid access
In this tutorial, we show you how to develop a simple RESTfull web service application with HTTP basic authentication using Cuubez framwork.
Technologies and Tools used in this article:
  1. cuubez 1.1.1
  2. JDK 1.6
  3. Tomcat 6.0
  4. Maven 3.0.3
  5. Intellij IDEA 13.1.1
Note: If you want to know what and how REST works, just search on Google, ton of available resources.


1. Directory Structure

This is the final web project structure of this tutorial.


2. Standard Web Project

Create a standard Maven web project structure.

 mvn archetype:generate -DgroupId=com.cuubez -DartifactId=basic_authentication -DarchetypeArtifactId=maven-archetype-webapp -DinteractiveMode=false
Note: To support IntelliJ IDEA, use Maven command :
mvn idea:idea


3. Project Dependencies

Cuubez is published in Maven repository. To develop cuubez REST application , just declares “cuubez-core” in Maven pom.xml.
File : pom.xml


 <dependency>  
   <groupId>com.cuubez</groupId>  
   <artifactId>cuubez-core</artifactId>  
   <version>1.1.1</version>  
  </dependency>


4. REST Service

Simple REST service with basic HTTP authentication annotations.
  • @PermitAll: Specifies that all security roles are allowed to invoke the specified method(s)
  • @RolesAllowed: Specifies the list of roles permitted to access method(s)
  • @DenyAll: Specifies that no security roles are allowed to invoke the specified method(s)
 @Path("/users/{userId}")  
 @Produces(MediaType.APPLICATION_JSON)  
 public class UserResource {  
   private static Log log = LogFactory.getLog(UserResource.class);  
   @PermitAll  
   @GET  
   @Produces(MediaType.APPLICATION_JSON)  
   public Response userGet(@HeaderParam(value = "name") String name, @PathParam(value = "userId") String id, @QueryParam(value = "age") Double age) {  
     User user = new User(id, age, name);  
     return Response.ok().entity(user).build();  
   }  
   @RolesAllowed("ADMIN")  
   @Consumes(MediaType.APPLICATION_JSON)  
   @POST  
   public void userPost(User user) {  
     log.info("POST = [" + user + "]");  
   }  
   @DenyAll  
   @PUT  
   @Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})  
   public void userPut(User user) {  
     log.info("PUT = [" + user + "]");  
   }  
 }


5. Authentication filter

The security interceptor is build by implementing com.cuubez.core.Interceptor.RequestInterceptor interface. This interface has one method which need to implement.

 @Provider  
 public class AuthenticationFilter implements RequestInterceptor {  
   private final InterceptorResponseContext ACCESS_FORBIDDEN = new InterceptorResponseContext("No access", HttpServletResponse.SC_FORBIDDEN);  
   public InterceptorResponseContext process(InterceptorRequestContext interceptorRequestContext) {  
     if (interceptorRequestContext.isAnnotationContain(DenyAll.class)) {  
       return ACCESS_FORBIDDEN; //Return access denied to user  
     } else if (interceptorRequestContext.isAnnotationContain(PermitAll.class)) {  
       return null; //Return null to continue request processing  
     } else if (interceptorRequestContext.isAnnotationContain(RolesAllowed.class)) {  
       //get encoded user name and password  
       String encodedUserName = interceptorRequestContext.getHeader("userName");  
       String encodedPassword = interceptorRequestContext.getHeader("password");  
       //decode user name and password  
       String decodedUserName = new String(Base64.decodeBase64(encodedUserName.getBytes()));  
       String decodedPassword = new String(Base64.decodeBase64(encodedPassword.getBytes()));  
       //get allowed user roles  
       String[] allowedRoles = ((RolesAllowed) interceptorRequestContext.getAnnotation(RolesAllowed.class)).value();  
       //Access userAccessor to retrieve user details(UserAccessor is not providing by framework, developer need to implement it according their requirement)  
       UserAccessor userAccessor = new UserAccessor();  
       String role = userAccessor.getUserRole(decodedUserName, decodedPassword);  
       if(isAllow(allowedRoles, role)) {  
         return null;  
       } else {  
         return ACCESS_FORBIDDEN;  
       }  
     }  
     return null;  
   }  
   private boolean isAllow(final String[] allowedRoles, final String userRole) {  
     for (String allRole : allowedRoles) {  
       if (allRole.equals(userRole)) {  
         return true;  
       }  
     }  
     return false;  
   }  
 }
This interceptor mechanism provide full flexibility to developer.


6. web.xml

The ContextLoaderListner context listener has to be deployed in order to create the registry for cuubez ,while the ServiceInitiator servlet is used so that incoming requests are correctly routed to the appropriate services. We have configured the specific servlet, named “cuubez”, to intercept requests under the “/rest/” path.
File : web.xml

 <web-app>  
  <display-name>Employee Example</display-name>  
   <listener>  
     <listener-class>com.cuubez.core.servlet.BootstrapContextListener</listener-class>  
   </listener>  
   <servlet-mapping>  
    <servlet-name>init</servlet-name>  
    <url-pattern>/rest/*</url-pattern>  
   </servlet-mapping>  
   <servlet>  
    <servlet-name>init</servlet-name>  
    <servlet-class>com.cuubez.core.servlet.HttpServletDispatcher</servlet-class>  
   </servlet>  
 </web-app>


7. Demo

In this example, web request from “projectURL/rest/users/{userId}” will match to “UserResource“, via @Path("/users/{userId}").

1. GET request

(GET resource annotated by @PermitAll annotation. Specifies that all security roles are allowed to invoke the specified method(s))

2. POST request

(POST request annotated by @RolesAllowed annotation. ADMIN role permitted to access method(s))
  • Forbidden request (Wrong encoded(Base64) user name and password passed as a header variables)
  • Successful request (Correct encoded(Base64) user name and password passed as a header variables)

3. PUT request

(PUT resource annotated by @DenyAll annotation. Specifies that no security roles are allowed to invoke the specified method(s))


8. Download

Download Basic Authentication Sample Application - Basic-Authentication.zip

Labels:

Comments

Post a Comment

Popular posts from this blog

How to enable proxy service security in ESB 4.9.0?

Security is  one of the major concern when we developing API base integrations or application developments. WSO2 supports WS Security , WS-Policy and WS-Security Policy specifications. These specifications define a behavior model for web services. Proxy service security requirements are different from each others. WSO2 ESB providing pre-define commonly used twenty security scenarios to choose based on the security requirements. This functionality is provided by the security management feature which is bundled by default in service management feature in ESB. This configuration can be done via the web console until ESB 4.8.1 release, but this has been removed from the ESB 4.9.0. Even though this feature isn't provided by the ESB web console itself same functionality can be achieved by the new WSO2 Dev Studio . WSO2 always motivate to use dev studio to prepare required artifacts to the ESB rather than the web console. Better way to explain this scenario is by example. Following...
3 comments
Read more

How to preserving HTTP headers in WSO2 ESB 4.9.0 ?

Preserving HTTP headers are important when executing backend services via applications/middleware. This is because most of the time certain important headers are removed or modified by the applications/middleware which run the communication. The previous version of our WSO2 ESB, version 4.8.1, only supported “ server ” and “ user agent ” header fields to preserve with, but with the new ESB 4.9.0, we’ve introduced a new new property ( http.headers.preserve ) for the passthru ( repository/conf/ passthru-http.properties ) and Nhttp( repository/conf/ nhttp.properties ) transporters to preserve more HTTP headers. Passthru transporter – support header fields               Location Keep-Alive Content-Length Content-Type Date Server User-Agent Host Nhttp transport – support headers Server User-Agent Date You can specify header fields which should be preserved in a comma-separated list, as shown below. http.headers.p...
Post a Comment
Read more

How to write a Synapse Handler for the WSO2 ESB ?

Synapse handler is new feature which come with the ESB 4.9.0. It provide abstract handler implementation to the users. User can create their own concrete handlers which is executing in the synapse layer. Main intention of this blog post is to explain how to write synapse handler and explain basic theoretical background. 1. What is the handler? Handlers are basically talking with the chain of responsibility pattern. Chain of responsibility allows a number of classes to attempt to handle a request independently of any other object along the chain. Once the request is handled, it completes it's journey through the chain. The Handler defines the interface which required to handle the request and concreteHandlers handle request in a specific manner that they are responsible for. 2. What is Synapse handler? Synapse handler is providing abstract handle implementation which executes in the following four scenarios. 1. Request in flow This is exe...
Post a Comment
Read more