Over a million developers have joined DZone.

Basic HTTP Authentication Sample Application

Is iPaaS solving the right problems? Not knowing the fundamental difference between iPaaS and dPaaS could cost you down the road. Brought to you in partnership with Liaison Technologies.

Basic HTTP authentication solve following security problems.

  • Get username and password from http request
  • Fetch the applicable method security details
  • Verify if user is authorized to access the API
  • Return valid error codes in case of invalid access

In this tutorial, we show you how to develop a simple RESTful web service application with HTTP basic authentication using Cuubez framwork.

Technologies and Tools used in this article:

  1. cuubez 1.1.0
  2. JDK 1.6
  3. Tomcat 6.0
  4. Maven 3.0.3
  5. Intellij IDEA 13.1.1

Note: If you want to know what and how REST works, just search on Google, ton of available resources.

1. Directory Structure

This is the final web project structure of this tutorial.

2. Standard Web Project

Create a standard Maven web project structure.

mvn archetype:generate -DgroupId=com.cuubez -DartifactId=basic_authentication -DarchetypeArtifactId=maven-archetype-webapp -DinteractiveMode=false

Note: To support IntelliJ IDEA, use Maven command :

mvn idea:idea

3. Project Dependencies

Cuubez is published in Maven repository. To develop cuubez REST application , just declares “cuubez-core” in Maven pom.xml.

File : pom.xml

<dependency>
   <groupId>com.cuubez</groupId>
   <artifactId>cuubez-core</artifactId>
   <version>1.1.1</version>
</dependency>

4. REST Service

Simple REST service with basic HTTP authentication annotations.

  • @PermitAll?: Specifies that all security roles are allowed to invoke the specified method(s)
  • @RolesAllowed?: Specifies the list of roles permitted to access method(s)
  • @DenyAll?: Specifies that no security roles are allowed to invoke the specified method(s)

@Path("/users/{userId}")@Produces(MediaType.APPLICATION_JSON)publicclassUserResource{

    privatestaticLog log =LogFactory.getLog(UserResource.class);


    @PermitAll
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    publicResponse userGet(@HeaderParam(value ="name")String name,@PathParam(value ="userId")String id,@QueryParam(value ="age")Double age){

        User user =newUser(id, age, name);
        returnResponse.ok().entity(user).build();
    }

    @RolesAllowed("ADMIN")
    @Consumes(MediaType.APPLICATION_JSON)
    @POST
    publicvoid userPost(User user){
        log.info("POST = ["+ user +"]");
    }

    @DenyAll
    @PUT
    @Consumes({MediaType.APPLICATION_JSON,MediaType.APPLICATION_XML})
    publicvoid userPut(User user){
        log.info("PUT = ["+ user +"]");

    }}

5. Authentication filter

The security interceptor is build by implementing com.cuubez.core.Interceptor.RequestInterceptor? interface. This interface has one method which need to implement.

@ProviderpublicclassAuthenticationFilterimplementsRequestInterceptor{

    privatefinalInterceptorResponseContext ACCESS_FORBIDDEN =newInterceptorResponseContext("No access",HttpServletResponse.SC_FORBIDDEN);

    publicInterceptorResponseContext process(InterceptorRequestContext interceptorRequestContext){


        if(interceptorRequestContext.isAnnotationContain(DenyAll.class)){

            return ACCESS_FORBIDDEN;//Return access denied to user

        }elseif(interceptorRequestContext.isAnnotationContain(PermitAll.class)){

            returnnull;//Return null to continue request processing

        }elseif(interceptorRequestContext.isAnnotationContain(RolesAllowed.class)){

            //get encoded user name and password
            String encodedUserName = interceptorRequestContext.getHeader("userName");
            String encodedPassword = interceptorRequestContext.getHeader("password");

            //decode user name and password
            String decodedUserName =newString(Base64.decodeBase64(encodedUserName.getBytes()));
            String decodedPassword =newString(Base64.decodeBase64(encodedPassword.getBytes()));

            //get allowed user roles
            String[] allowedRoles =((RolesAllowed) interceptorRequestContext.getAnnotation(RolesAllowed.class)).value();

            //Access userAccessor to retrieve user details(UserAccessor is not providing by framework, developer need to implement it according their requirement)
            UserAccessor userAccessor =newUserAccessor();
            String role = userAccessor.getUserRole(decodedUserName, decodedPassword);

            if(isAllow(allowedRoles, role)){
                returnnull;
            }else{
                return ACCESS_FORBIDDEN;
            }

        }

        returnnull;

    }

    privateboolean isAllow(finalString[] allowedRoles,finalString userRole){

        for(String allRole : allowedRoles){

            if(allRole.equals(userRole)){
                returntrue;
            }
        }

        returnfalse;
    }}

This interceptor mechanism provide full flexibility to developer.

6. web.xml

The ContextLoaderListner? context listener has to be deployed in order to create the registry for cuubez ,while the ServiceInitiator? servlet is used so that incoming requests are correctly routed to the appropriate services. We have configured the specific servlet, named “cuubez”, to intercept requests under the “/rest/” path.

File : web.xml

<web-app>
  <display-name>Employee Example</display-name>
    <listener>
        <listener-class>com.cuubez.core.servlet.BootstrapContextListener</listener-class>
    </listener>
    <servlet-mapping>
     <servlet-name>init</servlet-name>
     <url-pattern>/rest/*</url-pattern>
    </servlet-mapping>

    <servlet>
     <servlet-name>init</servlet-name>
     <servlet-class>com.cuubez.core.servlet.HttpServletDispatcher</servlet-class>
    </servlet>
</web-app>

6. Demo

In this example, web request from “projectURL/rest/users/{userId}” will match to “UserResource?, via @Path("/users/{userId}").

1. GET request

(GET resource annotated by @PermitAll? annotation. Specifies that all security roles are allowed to invoke the specified method(s))

2. POST request

(POST request annotated by @RolesAllowed? annotation. ADMIN role permitted to access method(s))

  • Forbidden request (Wrong encoded(Base64) user name and password passed as a header variables)

  • Successful request (Correct encoded(Base64) user name and password passed as a header variables)

3. PUT request

(PUT resource annotated by @DenyAll? annotation. Specifies that no security roles are allowed to invoke the specified method(s))

7. Download

Download Basic Authentication Sample Application - Basic-Authentication.zip

Discover the unprecedented possibilities and challenges, created by today’s fast paced data climate and why your current integration solution is not enough, brought to you in partnership with Liaison Technologies.

Topics:

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}