Thursday, September 21, 2006

Accessing User Principal in a Web Service

WS-Security provides a standard way to secure Web Services. Since based on SOAP it is agnostic of the stack you are using. When using JAX-RPC implementation, you are running in a J2EE container. In this post I am giving a tip to access the Principal object.

I have a service service, and I need to access some user information in its implementation class ( org.tug.ws.sample.SimpleServiceImpl ). This service is secure with WS-Security, with for example simple authentication, the following screenshot, is the configuration of inbound security in OracleAS 10gR3:

em-ws-sec-001


So the service is secured, here the code that you have to add in your service implementation (or handlers) to access the Principal object.

  1. Implement javax.xml.rpc.server.ServiceLifecycle
  2. Implement the init(Object context) method to access the ServletEndpointContext, that you can for example put as a local member of your implementation class.
        public void init(Object context) {
            _servleContext = (ServletEndpointContext)context;
        }
  3. Then you can access the principal object using the getUserPrincipal() method:
            ...
            if (_servleContext.getUserPrincipal() != null ) {
                Principal userPrincipal = _servleContext.getUserPrincipal();
                ...
            }
            ...
     
You can find more information about the Security in J2EE 1.4 Web Services in the Designing Web Services with the J2EE 1.4 Platform tutorial. 
Update on Wednesday october 4th: Frank Nimphius, has use this entry to create a more detail article about End to End Security with Web Services Security.

No comments: