This is just a summary of a small project I got lately involved in: creation of a RSS feed which authenticates the user upon access.
This has a variety of applications: most RSS feeds on the Internet are public stream of information (news, blogs) but in an enterprise environment that’s not really an option, information is confidential and must be delivered to users according to well established privileges and security rules.
Writing the Feed source
Here is a simple project with all code/config presented above.
The actual feed implementation is done with Rome, an open source project for reading and publish RSS/Atoms feeds in various formats.
Why Rome? Well, it is the “de facto” standard in the Java world, it is simple to use and supports most of the syndication formats.
// create Feed object SyndFeed feed = new SyndFeedImpl(); feed.setTitle("Documents for user: " + userName); feed.setDescription("Here are all personal documents of " + userName); feed.setLink("https://bodez.wordpress.com/rss/MyDocuments"); feed.setFeedType("atom_0.3"); // add entries
Enabling Basic Auth
This is done in the web.xml
<!-- HTTP Basic Authentication: protecting RSS feed --> <security-role> <role-name>rss-protected-users</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>RSS Feed</web-resource-name> <url-pattern>/rss/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>rss-protected-users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config>
As you can see the authentication method is specified (BASIC) together with the url to protect (/rss/*) and a role.
In conf/tomcat-users.xml enable the users who will access the information
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="rss-protected-users"/> <role rolename="tomcat"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="beppe" password="ciao" roles="rss-protected-users"/> </tomcat-users>
Accessing the Feed
Deploy your war file, apply the various configurations, then from the web browser invoke:
You should get prompted for credentials (as set in tomcat-users.xml), and here you go.
Instead of accessing the feed via the web browser you can use any other RSS reader (desktop, web or portal) as long as it supports basic authentication. Unfortunately sometimes those clients claim to support BASIC Auth, but fail to work.
I will publish later a list of RSS client readers which I will have successfully tested (this is the next phase of the project)
Oracle OID: I have also connected the web app (feed) to the Oracle LDAP server (OID), this is awesome as it allows to authenticate users against an LDAP server (rather than maintaining the Tomcat users). Drop me a line if you are interested in the config settings.
Last tip: as per Java EE specs only one <login-config> element is allowed in the web.xml therefore you cannot have a feed authenticating with Http Basic Auth and the rest of the application (web service?) using a different mechanism (FORM or CERT). Not ideal IMO, but eventually I ended up creating 2 different WAR files sharing the same business logic which is not a big deal (no code duplication, 2 different simple deployments).
Find here a simple (Maven) project with source and configurations discussed above.