Apache Axis2 JSON and REST with Spring Boot User's Guide

This guide will help you get started with Axis2 and JSON via REST, using Spring Security with Spring Boot! It gives a detailed description on how to write JSON based REST Web services and also Web service clients via JSON and Curl, how to write a custom login, and how to use them in a token based Web service that also helps prevent cross site scripting (XSS).

More docs concerning Axis2 and JSON can be found in the Pure JSON Support documentation and JSON User Guide

Introduction

This user guide is written based on the Axis2 Standard Binary Distribution. The Standard Binary Distribution can be directly downloaded or built using the Source Distribution. If you choose the latter, then the Installation Guide will instruct you on how to build Axis2 Standard Binary Distribution using the source.

The source code for this guide provides a pom.xml for an entire demo WAR application built by maven.

Please note that Axis2 is an open-source effort. If you feel the code could use some new features or fixes, please get involved and lend us a hand! The Axis developer community welcomes your participation.

Let us know what you think! Send your feedback to "java-user@axis.apache.org". (Subscription details are available on the Axis2 site.) Kindly prefix the subject of the mail with [Axis2].

Getting Started

This user guide explains how to write and deploy a new JSON and REST based Web Service using Axis2, and how to write a Web Service client using JSON with Curl.

All the sample code mentioned in this guide is located in the "samples/userguide/src/springbootdemo" directory of Axis2 standard binary distribution.

This quide supplies a pom.xml for building an exploded WAR with Spring Boot - however this WAR does not have an embedded web server such as Tomcat.

The testing was carried out on Wildfly, by installing the WAR in its app server.

Please deploy the result of the maven build via 'mvn clean install', axis2-json-api.war, into your servlet container and ensure that it installs without any errors.

Creating secure Web Services

Areas out of scope for this guide are JWT and JWE for token generation and validation, since they require elliptic curve cryptography. A sample token that is not meant for production is generated in this demo - with the intent that the following standards should be used in its place. This demo merely shows a place to implement these standards.

https://datatracker.ietf.org/doc/html/rfc7519

https://datatracker.ietf.org/doc/html/rfc7516

Tip: com.nimbusds is recommended as an open-source Java implementation of these standards, for both token generation and validation.

DB operations are also out of scope. There is a minimal DAO layer for authentication. Very limited credential validation is done.

The NoOpPasswordEncoder Spring class included in this guide is meant for demos and testing only. Do not use this code as is in production.

This guide provides two JSON based web services, LoginService and TestwsService.

The login, if successful, will return a simple token not meant for anything beyond demos. The intent of this guide is to show a place that the JWT and JWE standards can be implemented.

Axis2 JSON support is via POJO Objects. LoginRequest and LoginResponse are coded in the LoginService as the names would indicate.

Also provided is a test service, TestwsService. It includes two POJO Objects as would be expected, TestwsRequest and TestwsResponse. This service attempts to return a String with some Javascript, that is HTML encoded by Axis2 and thereby eliminating the possibility of a Javascript engine executing the response i.e. a reflected XSS attack.

Concerning Spring Security and Spring Boot, the Axis2Application class that extends SpringBootServletInitializer as typically done utilizes a List of SecurityFilterChain as a binary choice; A login url will match, otherwise invoke JWTAuthenticationFilter. All URL's to other services besides the login, will proceed after JWTAuthenticationFilter verifies the token.

The JWTAuthenticationFilter class expects a token from the web services JSON client in the form of "Authorization: Bearer mytoken".

The Axis2WebAppInitializer class supplied in this guide, is the config class that registers AxisServlet with Spring Boot.

Axis2 web services are installed via a WEB-INF/services directory that contains files with an .aar extention for each service. These aar files are similar to jar files, and contain a services.xml that defines the web service behavior. The pom.xml supplied in this guide generates these files.

Tip: don't expose methods in your web services that are not meant to be exposed, such as getters and setters. Axis2 determines the available methods by reflection. For JSON, the message name at the start of the JSON received by the Axis2 server defines the Axis2 operation to invoke. It is recommended that only one method per class be exposed as a starting point. The place to add method exclusion is the services.xml file: 

    <excludeOperations>
        <operation>setMyVar</operation>
    </excludeOperations>

The axis2.xml file can define GSON or Moshi as the JSON engine. GSON was the original however development has largely ceased. Moshi is very similar and is widely considered to be the superior implementation in terms of performance. GSON will likely continue to be supported in Axis2 because it is helpful to have two JSON implementations to compare with for debugging.

JSON based web services in the binary distribution of axis2.xml are not enabled by default. See the supplied axis2.xml of this guide, and note the places were it has "moshi". Just replace "moshi" with "gson" as a global search and replace to switch to GSON.

Axis2 web services that are JSON based must be invoked from a client that sets an HTTP header as "Content-Type: application/json". In order for axis2 to properly handle JSON requests, this header behavior needs to be defined in the file WEB-INF/conf/axis2.xml. 

    <message name="requestMessage">
        <messageFormatter contentType="application/json"
                          class="org.apache.axis2.json.moshi.JsonFormatter"/>

Other required classes for JSON in the axis2.xml file include JsonRpcMessageReceiver, JsonInOnlyRPCMessageReceiver, JsonBuilder, and JSONMessageHandler.

Invoking the client for a login that returns a token can be done as follows: 

curl -v -H "Content-Type: application/json" -X POST --data @/home/myuser/login.dat http://localhost:8080/axis2-json-api/services/loginService

Where the contents of /home/myuser/login.dat are: 

{"doLogin":[{"arg0":{"email":java-dev@axis.apache.org,"credentials":userguide}}]}

Response: 

{"response":{"status":"OK","token":"95104Rn2I2oEATfuI90N","uuid":"99b92d7a-2799-4b20-b029-9fbd6108798a"}}

Invoking the client for a Test Service that validates a sample token can be done as follows: 

curl -v -H "Authorization: Bearer 95104Rn2I2oEATfuI90N" -H "Content-Type: application/json" -X POST --data @/home/myuser/test.dat http://localhost:8080/axis2-json-api/services/testws'

Where the contents of /home/myuser/test.dat are below. arg0 is a var name and is used by Axis2 as part of its reflection based code: 

{"doTestws":[{"arg0":{"messagein":hello}}]}

Response, HTML encoded to prevent XSS. For the results with encoding see src/site/xdoc/docs/json-springboot-userguide.xml. 

{"response":{"messageout":"<script xmlns=\"http://www.w3.org/1999/xhtml\">alert('Hello');</script> \">","status":"OK"}}