The JDK 6 uses the
Lightweight HttpServer API and
Lightweight HttpServer SPI. The
com.sun.net.httpserver.HttpServer also comes in a SSL version
com.sun.net.httpserver.HttpsServer so it is possible to secure the transport layer to protect the information being exchanged from prying eyes. The server gives you access to the
com.sun.net.httpserver.HttpContext. On the HttpContext you can set an
com.sun.net.httpserver.Authenticator. The JDK 6 also includes a
com.sun.net.httpserver.BasicAuthenticator which can be used for
HTTP Basic Authentication (user,password,realm) that you can extend to check your own user database. Once a user is successfully authenticated you can create a
com.sun.net.httpserver.HttpPrincipal which you return inside a
com.sun.net.httpserver.Authenticator.Success instance. Hopefully that will set up the retrieval of the principal in the web service implementation. Inside the web service implementation inject the
javax.xml.ws.WebServiceContext (see
A little bit about Message Context in JAX-WS) and use
getUserPrincipal() to retrieve the principal.
Now there is one real problem with all of the above - all the security measures are HTTP based. Web service security measures are supposed to be XML and
SOAP based. The JAX-WS RI doesn't support WS-Security out of the box and needs at least the
XWSS, possibly even the
WSIT extension which I doubt will work on the Lightweight HttpServer - you'll probably have to go with a container like
Tomcat or better.
