HTTP Basic Authentication with Apache CXF Revisited

I receive a lot of traffic to my post about HTTP Basic Authentication in Apache CXF. I decided to do a followup to that post to address some of the comments.

I have never tried to use this with Mule but if someone has, please let me know so I can update this post.

I have uploaded the Java code for the BasicAuthAuthorizationInterceptor class. There are a few changes over the original version. This one includes a Map of authorized users and their corresponding passwords. I believe the original example I created was for Apache CXF 2.0. This version works with Apache CXF 2.1.1.

In the original post, I also did not include a sample of how to use this code in a real application. The following section shows a sample of how to define the security interceptor and enable it on a simple endpoint.


<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:jaxws="http://cxf.apache.org/jaxws"
    xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
    
    <bean id="securityInterceptor" class="BasicAuthAuthorizationInterceptor">
      <property name="users"> 
        <map>
          <entry key="username" value="password"/>
        </map>
      </property>
    </bean>

    <bean id="service" class="sample.Service"/>
    
    <jaxws:endpoint
      id="serviceEndpoint" 
      implementor="#service"
      address="${services.url}/Service">
      <jaxws:inInterceptors>
        <ref bean="securityInterceptor"/>
      </jaxws:inInterceptors>
    </jaxws:endpoint>
</beans>

7 thoughts on “HTTP Basic Authentication with Apache CXF Revisited”

  1. Hello Chris,
    The interceptor works like a breeze.
    Thanks for that..
    I was wondering if you had a sample client code to share that calls the web service interceptor with the required parameters..?

    Thanks,

  2. I do not actually call this service using CXF. Another application consumes this web service. I do make use of it in unit tests though. Here is a snippet of what you need to do basic authentication with CXF on the client side:

    BindingProvider port = service.getPort(clas)
    port.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, “user”)
    port.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, “password”)

  3. Hello,

    Everything works OK, if the supplied username/password are correct. But when they are incorrect, I get

    org.apache.cxf.binding.soap.SoapFault: Error reading XMLStreamReader.
    .....
    Caused by: com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog
    at [row,col {unknown-source}]: [1,0]
    at com.ctc.wstx.sr.StreamScanner.throwUnexpectedEOF(StreamScanner.java:686)
    at com.ctc.wstx.sr.BasicStreamReader.handleEOF(BasicStreamReader.java:2134)
    at com.ctc.wstx.sr.BasicStreamReader.nextFromProlog(BasicStreamReader.java:2040)
    at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1069)
    at com.ctc.wstx.sr.BasicStreamReader.nextTag(BasicStreamReader.java:1095)
    at org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMessage(ReadHeadersInterceptor.java:85)

  4. You will get an exception if the credentials are not base64 encoded as well. I wonder if that’s what you are seeing.

  5. Could it be that the exception above is being caused by the client that tries to parse the response as an SOAP response. Clearly, an “HTTP/1.1 401 Unauthorized…” will not be parsed as XML.

  6. There is a minor bug in this code, you should replace “Content-Length” with “Content-length”, otherwise you will get the error above reported by Uri.

  7. What is the context of the following code?

    BindingProvider port = service.getPort(clas)
    port.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, “user”);
    port.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, “password”);

    I haven’t been able to find where to put this.
    What is “service” and what is “clas”?

    Thanks!

Comments are closed.