Using the GlassFish Realm Security to Authenticate the HTTP Client Credentials (Using the HTTP Binding Component)

Using the HTTP Binding Component

Using the GlassFish Realm Security to Authenticate the HTTP Client Credentials

The HTTP Binding Component can integrate with GlassFish Application Server, out of the box, to provide authentication of requesting clients by authenticating the client against the credentials in a "realm". To take advantage of this security feature, the HTTP/SOAP Binding Component's consuming endpoint needs to be properly configured in the WSDL.

To configure an HTTP/SOAP endpoint to use Realm security configure the PolicyReference element which belongs in the namespace, http://schemas.xmlsoap.org/ws/2004/09/policy. The PolicyReference identifies the Policy, which also belongs in the namespace, http://schemas.xmlsoap.org/ws/2004/09/policy, that provides the details for configuring Realm security.

This is an example of an endpoint with an associated PolicyReference element.

<port name="SoapBasicAuthPortRealm" binding="tns:SoapBasicAuthRealmBinding">
    <soap:address location="http://localhost:12081/SoapBasicAuthService
/SoapBasicAuthRealmPort"/>
    <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingRealmPolicy"/>
</port>

The PolicyReference element contains an attribute called URI. The value of the URI consists of a '#' character followed by the name of the policy defined somewhere else in the WSDL. Taking this example further, the example below defines the Policy that the PolicyReference references. In the following example, ignore the UsernameToken. This is used by the "outbound" endpoint for sending the username/password credential when it sends a request. You don't need to have this element for "inbound" (consuming) endpoints, but it's included here to illustrate the bi-directionality of an endpoint.

<wsp:Policy wsu:Id="HttpBasicAuthBindingBindingRealmPolicy">
    <mysp:MustSupportBasicAuthentication on="true">
        <mysp:BasicAuthenticationDetail>
           <mysp:Realm realmName="file" />
        </mysp:BasicAuthenticationDetail>
    </mysp:MustSupportBasicAuthentication>
    <mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/2005
/07/securitypolicy/IncludeToken/AlwaysToRecipient">
       <wsp:Policy>
            <sp:WssUsernameToken10>wilma</sp:WssUsernameToken10>
            <sp:WssPassword>pebbles</sp:WssPassword>
       </wsp:Policy>
    </mysp:UsernameToken>
 </wsp:Policy>

Note –

The code above has been wrapped for display purposes

The PolicyReference and Policy elements are used above simply to ensure that we adhere to the standard for SOAP binding. There are no Tango WS-Policy Attachments involved and the WS-Policy Attachment "runtime" will ignore the child element MustSupportBasicAuthentication which is specific to the HTTP Soap BC. MustSupportBasicAuthentication is in the namespace, http://sun.com/ws/httpbc/security/BasicauthSecurityPolicy.

For example, your GlassFish installation comes with a preconfigured file realm which is essentially a file-based user database. See the GlassFish documentation on Realm security, or for a demonstration of how Realm security is configured for a SOAP endpoint see Securing Communication using GlassFish Realm Security.