Application Authentication with JAX-WS

One of the common way to handle authentication in JAX-WS is client provides “username” and “password”, attached it in SOAP request header and send to server, server parse the SOAP document and retrieve the provided “username” and “password” from request header and do validation from database, or whatever method prefer.

In this article, we show you how to implement the above “application level authentication in JAX-WS“.


On the web service client site, just put your “username” and “password” into request header.

    Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext();
    req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);
    Map<String, List<String>> headers = new HashMap<String, List<String>>();
    headers.put("Username", Collections.singletonList("mkyong"));
    headers.put("Password", Collections.singletonList("password"));
    req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

On the web service server site, get the request header parameters via WebServiceContext.

    WebServiceContext wsctx;
    public String method() {
        MessageContext mctx = wsctx.getMessageContext();
	//get detail from request headers
        Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
        List userList = (List) http_headers.get("Username");
        List passList = (List) http_headers.get("Password");

That’s all, now, your deployed JAX-WS is supported application level authentication.

Authentication with JAX-WS Example

See a complete example.

1. WebService Server

Create a simple JAX-WS hello world example to handle the authentication in application level.

File :

import javax.jws.WebMethod;
import javax.jws.WebService;
import javax.jws.soap.SOAPBinding;
import javax.jws.soap.SOAPBinding.Style;
//Service Endpoint Interface
@SOAPBinding(style = Style.RPC)
public interface HelloWorld{
	@WebMethod String getHelloWorldAsString();

import java.util.List;
import java.util.Map;
import javax.annotation.Resource;
import javax.jws.WebService;
//Service Implementation Bean
@WebService(endpointInterface = "")
public class HelloWorldImpl implements HelloWorld{
    WebServiceContext wsctx;
    public String getHelloWorldAsString() {
	MessageContext mctx = wsctx.getMessageContext();
	//get detail from request headers
        Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
        List userList = (List) http_headers.get("Username");
        List passList = (List) http_headers.get("Password");
        String username = "";
        String password = "";
        	//get username
        	username = userList.get(0).toString();
        	//get password
        	password = passList.get(0).toString();
        //Should validate username and password with database
        if (username.equals("mkyong") && password.equals("password")){
        	return "Hello World JAX-WS - Valid User!";
        	return "Unknown User!";

2. EndPoint Publisher

Create an endpoint publisher to deploy above web service at this URL : “http://localhost:9999/ws/hello

File :

package com.mkyong.endpoint;
//Endpoint publisher
public class HelloWorldPublisher{
    public static void main(String[] args) {
	   Endpoint.publish("http://localhost:9999/ws/hello", new HelloWorldImpl());

3. WebService Client

Create a web service client to send “username” and “password” for authentication.

File :

package com.mkyong.client;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
public class HelloWorldClient{
	private static final String WS_URL = "http://localhost:9999/ws/hello?wsdl";
	public static void main(String[] args) throws Exception {
	URL url = new URL(WS_URL);
        QName qname = new QName("", "HelloWorldImplService");
        Service service = Service.create(url, qname);
        HelloWorld hello = service.getPort(HelloWorld.class);
        /*******************UserName & Password ******************************/
        Map<String, Object> req_ctx = ((BindingProvider)hello).getRequestContext();
        req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);
        Map<String, List<String>> headers = new HashMap<String, List<String>>();
        headers.put("Username", Collections.singletonList("mkyong"));
        headers.put("Password", Collections.singletonList("password"));
        req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);


Hello World JAX-WS - Valid User!

4. Tracing SOAP Traffic

From top to bottom, showing how SOAP envelope flows between client and server.

1. Client send request, the username “mkyong” and password “password” are included in the SOAP envelope.

POST /ws/hello?wsdl HTTP/1.1
Password: password
Username: mkyong
SOAPAction: ""
Accept: text/xml, multipart/related, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: text/xml; charset=utf-8
User-Agent: Java/1.6.0_13
Host: localhost:8888
Connection: keep-alive
Content-Length: 178
<?xml version="1.0" ?>
	<S:Envelope xmlns:S="">
			<ns2:getHelloWorldAsString xmlns:ns2=""/>

2. Server send back a normal response.

HTTP/1.1 200 OK
Transfer-encoding: chunked
Content-type: text/xml; charset=utf-8
<?xml version="1.0" ?>
	<S:Envelope xmlns:S="">
			<ns2:getHelloWorldAsStringResponse xmlns:ns2="">
				<return>Hello World JAX-WS - Valid User!</return>


Download Source Code

Tags :

About the Author

Founder of and, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.


  • Pingback: alkaline water machine()

  • Pingback: alkaline water machine()

  • Pingback: parking()

  • Pingback: laan penge online()

  • Pingback: car parking()

  • Pingback: mobile porn()

  • Pingback:

  • Pingback: Direct TV vs Dish TV()

  • Pingback: great prices on DIRECTV()

  • Pingback: best online casinos()

  • Pingback: light gloves()

  • Pingback: How to use Viber in UAE 2015()

  • Pingback: kangen water()

  • Pingback: kangen()

  • Pingback: best bottled water()

  • Pingback: water ionizer()

  • Pingback: watch movies online()

  • Pingback: watch movies online()

  • Pingback: watch movies online()

  • Pingback: Blue Coaster33()

  • Pingback: Web Service Authentication using Java | I'm IT Professional Service (Architect, Designer, Developer, Analyst & Business Consultant, on SOA, SCM, SCO, ERP & CRM()

  • Dinesh Pise

    I have getting below error when depoyed in Jboss 5.1 GA but works fine in Jboss 4.2

    java.lang.LinkageError: loader constraint violation in interface itable initialization: when resolving method “;” the class loader (instance of org/jboss/classloader/spi/base/BaseClassLoader) of the current class, com/sun/xml/ws/util/xml/XMLStreamReaderFilter, and the class loader (instance of ) for interface javax/xml/stream/XMLStreamReader have different Class objects for the type javax/xml/namespace/QName used in the signature

  • rakesh

    Hi All ,
    I am following the above given program.
    It’s working with jdk 1.6 with this commands
    1. wsgen -keep -cp bin/ -s src/ the Survice)
    2.wsimport -keep -s ./src -p com.mkyong.client http://localhost:8080/ws/hello?wsdl(Creating the respective Service file for client)

    It.s always taking in Service implementation file username =”” and password=””
    Therefore always it saying unknown user while i am passing username =”mkyong” and password=”password”

    Can anyone help me how i can get the right input from the client file?
    Thanks and regards,

  • Sudhakar

    Simply Superb. This saved me so much of time !

  • Marcos Daniel Petry

    Thank you Mkyong. Your tutorials are very usefull for us.

  • dkbose

    First of all, I’m a huge fan of your articles.. Simple, yet so effective..

    However, I’ve followed this tutorial and not achieved the expected results. I am using Spring 3.0.3 and on invocation of the method, WebServiceContext is null. It isn’t being injected.

    Any help on how to inject WebServiceContext would be appreciated. Thanks in advance..

  • Muzimil Basha

    Thanks for tutorial. I am trying to implement this for my web service method. I had successfully added it in my service. I am using Apache Axis2 for generating the client. It will create all the required classes. Currently I am using

     HelloWorldImplServiceStub stub = new HelloWorldImplServiceStub();
    GetHelloWorldAsString get= new GetHelloWorldAsString();
    GetHelloWorldAsStringResponse res= stub.getHelloWorldAsString(get);

    Can you tell me how to add headers for this. your suggestion would help me alot.

  • Tari aka Manga

    Ciao, great example thanks!

    Actually FYI I found maybe simpler to put username/password via BindingProvider if it’s not a requirement to put them manually in the HTTP headers, e.g.:

    req_ctx.put(BindingProvider.USERNAME_PROPERTY, "username");
    req_ctx.put(BindingProvider.PASSWORD_PROPERTY, "password");

    Hope in having provided a good suggestion as well ;)
    ps: very great tutorials all over your site, good job!! Very helpful!!!

  • Sonu Thomas

    Note : error in source code

    In source code provided to download, Webservice is published in port 9999 and client is accessing at 8888.So error is coming. Kindly change it accordingly..

  • Azahrudhin

    Hi Mkyong,
    Thank you for all your posts , they are simple and easy to understand.

    Could you please post and example for writing client using certificate i.e consuming a webservice which will use certificate to authenticate

    01. I have generated the client bindings using NetBeans which intern uses wsimport of JAX-WS RI 2.2.

    02. How to write the client program to access the webservice using cert files.

    01. I have successfully generated the client bindings.
    I need to configure the Keysotre and TrustStore.

    03. Please help to configure the trustsotre and keystore in the client programs.

  • deepak

    i have no website.
    listen dear as you have mention an example i am not able to run your example ,error is coming
    Exception in thread “main” Connection refused: connect.

    please share me the reason.

  • José Gamboas

    Thanks for this tutorial, I need implement this example for learning jax-ws.

    how I can make a header for connect soapUI and php?
    I used This but no work:



    Unknown User!{accept-encoding=[gzip,deflate], content-length=[340], content-type=[text/xml;charset=UTF-8], host=[localhost:8080], soapaction=[“”], user-agent=[Jakarta Commons-HttpClient/3.1]}

    Thanks for help me….

  • Jairaj Chetty

    Great tutorial thanks. Any idea how to replicate the client request using soapUI?

  • Jairaj Chetty

    Great tutorial, thanks. Just what I needed. Any idea how to send requests from soapUI with username/password?

  • Pingback: Basic Authentication with SOAP Web Service « dwuysan()

  • manish gupta

    hi mkyong,

    Thanks, its valuable example!!

  • Enduro

    I guess this method does not seem to be safe for replay-attacks.

    I would recommend to use UsernameToken.

    • mkyong

      This article is showing the basic about how to perform authentication in jax-ws. For advance security feature, just enhance it to suit your needs.

      I’m interest at your UsernameToken example, mind to share it? Thanks.

      • Ariel Snir

        Hi dear MyKong,
        You are a great man that help a lot in promoting technology
        worldwide by sharing knowledge.
        So , thanks you very much.

        I have a request,
        Can you kindly, share an example with UsernameToken for performing authentication in jax-ws.

        Best regards,

  • Pingback: JAX-WS, Authentication and Authorization – How to?()

  • Pingback: JAX-WS, Authentication and Authorization – How to? | Gravity Layouts()

  • Bharat


    in your example when i read the following code

    Map httpHeaders = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
    The values in httpHeaders are coming as following:
    {jboss-remoting-version=[22], connection=[keep-alive], host=[usbur043060:30080], user-agent=[JBossRemoting - 2.2.2.SP7 (Bluto)], transfer-encoding=[chunked], content-type=[text/xml; charset=UTF-8], accept=[text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2], soapaction=[""]}
    List userList = (List) httpHeaders.get("Username");
    List passList = (List) httpHeaders.get("Password");

    but i never get any value in userList and passList. they are always null.

    Please guide me.

  • Floris

    Is the username/password send in plaintent in the resulting SOAP messages? If so I would suggest combining the authentication with some form of confidentiality(e.g. using TLS).

    • mkyong

      ya, in production, SSL is always recommended.

      • Ashish

        This is a vary good example.Thanks a ton for guiding us.
        Can yoiu please also tell us who to implement SSL in client side(encryption) and server side(decryption) using above mentioned code.

        Thanks in advance,

  • Pingback: JAX-WS Tutorial()

  • PeterR


    I have found on everything needed for my project Liferay Spring jax-ws .

    Thank you very much!

    • mkyong

      Hi Peter, good to know that my articles did help someone :)

      • RajeshR

        ON WAS 7.0 I am runnig the application that calls the webservice.
        In the client side code of webservice, I have tried to set the headers, but its giving me exception at the very first line of the code

        Map req_ctx = ((BindingProvider)port).getRequestContext();

        excpetion is
        [7/27/12 12:11:47:075 IST] 00000017 SystemErr R javax.ejb.EJBException: EBS Error code[810666] incompatible with

        I am struggling a lot since a month with this issue. Could you please help.

        My Code:
        if (nwsInterfaceSoapPort == null)
        System.out.println(“>>NwsInterfaceSoapPortProxy.add_Complaint():Start addding Header<<<");
        Map reqContext = ((BindingProvider)nwsInterfaceSoapPort).getRequestContext();


        public class NwsInterfaceSoapPortProxy implements {
        private boolean _useJNDI = true;
        private String _endpoint = null;
        private nwsInterfaceSoapPort = null;

        public NwsInterfaceSoapPortProxy() {

        private void _initNwsInterfaceSoapPortProxy() {

        if (_useJNDI) {
        javax.naming.InitialContext ctx = new javax.naming.InitialContext();
        nwsInterfaceSoapPort = (("java:comp/env/service/NetPointWebService")).getNwsInterfaceSoapPort();
        catch (javax.naming.NamingException namingException) {}
        catch (javax.xml.rpc.ServiceException serviceException) {}
        if (nwsInterfaceSoapPort == null) {
        nwsInterfaceSoapPort = (new;
        catch (javax.xml.rpc.ServiceException serviceException) {}
        if (nwsInterfaceSoapPort != null) {
        if (_endpoint != null)
        ((javax.xml.rpc.Stub)nwsInterfaceSoapPort)._setProperty("javax.xml.rpc.service.endpoint.address", _endpoint);
        _endpoint = (String)((javax.xml.rpc.Stub)nwsInterfaceSoapPort)._getProperty("javax.xml.rpc.service.endpoint.address");

        public class NwsInterfaceSoapBindingStub extends implements {
        public NwsInterfaceSoapBindingStub( endpointURL, javax.xml.rpc.Service service) throws {
        if (service == null) {
        super.service = new;
        else {
        super.service = service;
        super.engine = (( super.service).getEngine();
        super.cachedEndpoint = endpointURL;
        super.connection = (( super.service).getConnection(endpointURL);
        super.messageContexts = new[2];
        public class NetPointWebServiceLocator extends implements {

        public getNwsInterfaceSoapPort() throws javax.xml.rpc.ServiceException { endpoint;
        try {
        endpoint = new;
        catch ( e) {
        return null; // unlikely as URL was validated in WSDL2Java
        return getNwsInterfaceSoapPort(endpoint);

        public getNwsInterfaceSoapPort( portAddress) throws javax.xml.rpc.ServiceException {
        try { _stub = new, this);
        return _stub;
        catch ( e) {
        return null;

  • Remco

    Thanks alot for this excellent tutorial

  • Pingback: Tomcat – Container Authentication with JAX-WS()

  • Chris

    Great tutorials, very easy to read and follow. Thanks.