All geek questions in one place

Is there an agrotic server way to implement BASIC authentication?

I am trying to add BASIC authentication to my RESTful web service. I currently have BASIC authentication for Apache Tomcat 6.0 server, but I need to deploy my web service to WebSphere ver application server. 6.1, and there are problems with BASIC authentication on WebSphere.

Is there a way in Java to verify the HTTP request authentication headers, and if the provided username / password (Base64 encoded) does not match the known account, should the user enter a new username / password?

I tried to implement Spring Security, but since my project was done completely without Spring, it was a huge pain trying to get it to work, and I'm trying to find a simple solution to my rather simple problem.

Technologies that I currently use include: Java, Jersey / JAX-RS, Eclipse with the Maven plugin.
+6
source share
2 answers

You should be able to configure a servlet filter that runs before your REST handlers, checks the header of the authorization request, base 64 decodes it, extracts the username and password, and checks. Something like that:

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) { if (request instanceof HttpServletRequest) { HttpServletRequest request = (HttpServletRequest) req; String authHeader = Base64.decode(request.getHeader("Authorization")); String creds[] = authHeader.split(":"); String username = creds[0], password = creds[1]; // Verify the credentials here... if (authorized) { chain.doFilter(req, res, chain); } else { // Respond 401 Authorization Required. } } doFilter(req, res, chain); }

All servlet containers have a standard way to configure filter chains.

+9
source

Full implementation based on maerics answer.

 import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; import sun.misc.BASE64Decoder; public class AuthenticationFilter implements Filter { private static final String AUTHORIZATION_HEADER_NAME = "Authorization"; private static final String WWW_AUTHENTICATE_HEADER_NAME = "WWW-Authenticate"; private static final String WWW_AUTHENTICATE_HEADER_VALUE = "Basic realm=\"Default realm\""; private static final String BASIC_AUTHENTICATION_REGEX = "Basic\\s"; private static final String EMPTY_STRING = ""; private static final String USERNAME_PASSWORD_SEPARATOR = ":"; private static final BASE64Decoder DECODER = new BASE64Decoder(); public void init(FilterConfig arg0) throws ServletException { } public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpReq = (HttpServletRequest) req; HttpServletResponse httpRes = (HttpServletResponse) res; String authHeader = httpReq.getHeader(AUTHORIZATION_HEADER_NAME); if (authHeader == null) { this.requestAuthentication(httpRes); return; } authHeader = authHeader.replaceFirst(BASIC_AUTHENTICATION_REGEX, EMPTY_STRING); authHeader = new String(DECODER.decodeBuffer(authHeader)); if (StringUtils.countMatches(authHeader, USERNAME_PASSWORD_SEPARATOR) != 1) { this.requestAuthentication(httpRes); return; } String[] creds = authHeader.split(USERNAME_PASSWORD_SEPARATOR); String username = creds[0]; String password = creds[1]; //TODO: implement this method if (!authenticatedUser(username, password)) { this.requestAuthentication(httpRes); return; } chain.doFilter(req, res); } private void requestAuthentication(HttpServletResponse httpRes) { httpRes.setHeader(WWW_AUTHENTICATE_HEADER_NAME, WWW_AUTHENTICATE_HEADER_VALUE); httpRes.setStatus(HttpServletResponse.SC_UNAUTHORIZED); } public void destroy() { } }
+4
source

Source: https://habr.com/ru/post/890617/

More articles:


All Articles