axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "KUMAR,PANKAJ (HP-Cupertino,ex1)" <pankaj_ku...@hp.com>
Subject RE: Issues with Authentication
Date Sat, 26 Apr 2003 02:00:04 GMT
Sam,

My thinking is that Axis is getting the username from HTTP headers and
stuffing it in MessageContext at the server side. But I have not looked at
the code.

The structure of APIs do give the impression that the client side bag may
become available in the server side. In reality, the bag is only a mechansim
to have shared data within either client or server for different components.

/Pankaj.

> -----Original Message-----
> From: Sam Khan [mailto:skhan@SVTECHNOLOGY.com]
> Sent: Friday, April 25, 2003 10:21 AM
> To: axis-user@ws.apache.org
> Subject: RE: Issues with Authentication
> 
> 
> Pankaj,
> 
> Thanks again for you response. I remain somewhat confused 
> about properties in the 'bag'. The class 
> SimpleAuthenticationHandler has the following code:
> 
>  public void invoke(MessageContext msgContext) throws AxisFault {
>         
>         SecurityProvider provider = 
> (SecurityProvider)msgContext.getProperty("securityProvider");
> 
>  if (provider != null) {
>             String  userID = msgContext.getUsername();
>             if (log.isDebugEnabled()) {
>                 log.debug( Messages.getMessage("user00", userID) );
>             }
> 
> 	-- snip --
> }
> 
> This implies that the username ( which I am assuming, 
> probably incorrectly ) was set using call.setUsername() in 
> the client. This is the only way given in this class to 
> extract user and password info. Therefore shouldnt this info 
> be stuffed in the bag earlier in the chain ( on the server side )?
> 
> Thanks
> Sam 
> 
>            
> 
> 
> 
> -----Original Message-----
> From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:pankaj_kumar@hp.com]
> Sent: Friday, April 25, 2003 10:01 AM
> To: 'axis-user@ws.apache.org'
> Subject: RE: Issues with Authentication
> 
> 
> > -----Original Message-----
> > From: Sam Khan [mailto:skhan@SVTECHNOLOGY.com]
> > Sent: Friday, April 25, 2003 9:25 AM
> >
> > Hi Pankaj,
> > 
> 
> > I do have one more question: I'm setting properties in the 
> > call object but they are no longer in the 'bag' when 
> > SimpleAuthenticationHandler::invoke is called. Does this make 
> > any sense to you? ( I know this is a moot point since I will 
> > no longer be using the class, but my curiosity has got the 
> > better of me) 
> 
> I am glad that I could be of any use to you and Axis community.
> 
> The bag of properties set in the client gets "converted" into 
> HTTP Headers
> for HTTP authentication protocol (that is why you see the 
> base64 encoded
> value of username and password as an HTTP header). The bag 
> that gets created
> at the server side has local stuff and it is not a copy of 
> the bag at the
> client. In fact, if you use DIGEST authentication (which unfortunately
> didn't work with Tomcat4.1.18), there is no way you can get 
> the password
> (that is the way it should be -- you don't want someone with 
> a sniffer or
> tcpdump to retrieve your passwords from the network).
> 
> Though you can get the username in Axis. Look at sample .jws file
> EchoHeaders.jws for how to get HttpServletRequest. Once you 
> have it, you can
> get the username by calling getRemoteUser().
> 
> > 
> > Thanks again!
> > Sam 
> > 
> > 
> > -----Original Message-----
> > From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:pankaj_kumar@hp.com]
> > Sent: Thursday, April 24, 2003 9:50 PM
> > To: 'axis-user@ws.apache.org'
> > Subject: RE: Issues with Authentication
> > 
> > 
> > Hi Sam,
> > 
> > As I suspected, you are attempting two levels of authentication and
> > authorization -- once by the web container and next by Axis 
> > handlers. Both
> > require their own settings of users, passwords and roles. By 
> > default, for
> > tomcat you specify these in tomcat-users.xml file. Of course, 
> > you could use
> > a database or LDAP based implementation for better 
> > scalability and improved
> > administrations. Access to specific urls is done by 
> > url-pattern elelemnt in
> > web.xml.
> > 
> > For Axis, you specify user and password in users.lst file of 
> > Axis WEB-INF
> > directory. Here roles are same as usernames. Auhtorization 
> > info. is in file
> > perms.lst. I have a feeling that you may not configured these files
> > properly. Looking at your web.xml, I would expect your 
> > users.lst to have:
> > 
> > InternalUser <pass1>
> > ExternalUser <pass2>
> > LawportAdmin <pass3>
> > 
> > And perms.lst to have:
> > 
> > InternalUser <svc>
> > ExternalUser <svc>
> > LawportAdmin <svc>
> > 
> > You don't gain much by this additional layer of 
> > authentication. In fact,
> > there are problems. The Security handlers that come with Axis 
> > are not very
> > safe (they store password in clear) -- in fact they are there for
> > illustration purposes only. As the security of the system is 
> > only as strong
> > as the weakest link, you actually weaken your security by 
> introducing
> > SimpleAuthenticationHandler and SimpleAuthorizationHandler of Axis.
> > 
> > Hope this helps.
> > 
> > /Pankaj.
> > 
> > > -----Original Message-----
> > > From: Sam Khan [mailto:skhan@SVTECHNOLOGY.com]
> > > Sent: Thursday, April 24, 2003 9:53 AM
> > > To: axis-user@ws.apache.org
> > > Subject: RE: Issues with Authentication
> > > 
> > > 
> > > Hi Pankaj,
> > > Thanks for your reply. I have changed the web.xml file as follows:
> > > 
> > > <security-constraint>
> > > 		<web-resource-collection>
> > > 			<web-resource-name>Web Service 
> > > Settings</web-resource-name>
> > > 			
> > > <url-pattern>http://localhost:8101/lawport/services/GetMatters
> > > </url-pattern>
> > > 			<http-method>GET</http-method>
> > > 			<http-method>POST</http-method>
> > > 		</web-resource-collection>
> > > 		<auth-constraint>
> > > 			<role-name>InternalUser</role-name>
> > > 			<role-name>ExternalUser</role-name>
> > > 			<role-name>LawportAdmin</role-name>
> > > 		</auth-constraint>
> > > 	</security-constraint>
> > > 	<!-- end web services -->
> > > 	<login-config>
> > > 		<auth-method>BASIC</auth-method>
> > > 		<realm-name>The Lawport Network</realm-name>
> > > 		<form-login-config>
> > > 			
> > > <form-login-page>/jsp/Login.jsp</form-login-page>
> > > 			
> > > <form-error-page>/jsp/BadLogin.jsp</form-error-page>
> > > 		</form-login-config>
> > > 	</login-config>
> > > 
> > > 
> > > I have also  changed the wsdd file to include the following:
> > > 
> > > <requestFlow name="checks">
> > > 			<handler 
> > > type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
> > > 			<handler 
> > > type="java:org.apache.axis.handlers.SimpleAuthorizationHandler"/>
> > > 		</requestFlow>
> > > 		<parameter name="allowedRoles" 
> > > value="InternalUser, ExternalUser, LawportAdmin"/>
> > > 
> > > Am I missing anything?
> > > Thanks
> > > Sam 
> > > 
> > > 
> > > -----Original Message-----
> > > From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:pankaj_kumar@hp.com]
> > > Sent: Wednesday, April 23, 2003 8:24 PM
> > > To: 'axis-user@ws.apache.org'
> > > Subject: RE: Issues with Authentication
> > > 
> > > 
> > > Hi Sam,
> > > 
> > > The web container authentication seems to be working fine. 
> > > Axis servlet
> > > seems to throw an authetnication fault. What are your server 
> > > side settings?
> > > (Did you modify Axis web.xml? What is the WSDD file for 
> > your service?)
> > > 
> > > /Pankaj.
> > > 
> > > > -----Original Message-----
> > > > From: Sam Khan [mailto:skhan@SVTECHNOLOGY.com]
> > > > Sent: Wednesday, April 23, 2003 5:34 PM
> > > > To: axis-user@ws.apache.org
> > > > Subject: Issues with Authentication
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > I'm receiving the following error when attempting to make an 
> > > > authenticated web service call:
> > > > 
> > > > AxisFault
> > > >  faultCode: {http://xml.apache.org/axis/}Server.Unauthenticated
> > > >  faultString: User 'null' not authenticated (unknown user)
> > > >  faultActor: null
> > > >  faultDetail: 
> > > > 	stackTrace: AxisFault
> > > >  faultCode: {http://xml.apache.org/axis/}Server.Unauthenticated
> > > >  faultString: User 'null' not authenticated (unknown user)
> > > >  faultActor: null
> > > >  faultDetail: 
> > > > 
> > > > User 'null' not authenticated (unknown user)
> > > > 	at 
> > > > org.apache.axis.handlers.SimpleAuthenticationHandler.invoke(Si
> > > mpleAuthenticationHandler.java:106)
> > > > 	at 
> > > > org.apache.axis.strategies.InvocationStrategy.visit(Invocation
> > > > Strategy.java:71)
> > > > /-------------------------------------------------------MESSAG
> > > > E TRUNCATED 
> > > > -----------------------------------------------------------/
> > > > 
> > > > 
> > > > The call object is being stuffed as follows:
> > > >  call.setProperty( Call.USERNAME_PROPERTY, "username" );
> > > >  call.setProperty( Call.PASSWORD_PROPERTY, "password" 
> );		
> > > > 
> > > > Can anyone tell me what is causing the authentication info to 
> > > > either not get sent or not be recognised upon receipt by the 
> > > > axis server? I have noticed the request header does change 
> > > > when the call object is stuffed with the above values:
> > > > 
> > > > POST /lawport/services/GetMatters HTTP/1.0
> > > > Content-Type: text/xml; charset=utf-8 
> > > > Accept: application/soap+xml, application/dime, 
> > > > multipart/related, text/* 
> > > > User-Agent: Axis/1.1RC1 Host: localhost 
> > > > Cache-Control: no-cache 
> > > > Pragma: no-cache SOAPAction: "" 
> > > > Content-Length: 1400 
> > > > Authorization: Basic bHBhZG1pbjog ****** only appears when 
> > > > authentication info used *****
> > > > 
> > > > Any info would be greatly appreciated.
> > > > Thanks
> > > > Sam 
> > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > 
> 

Mime
View raw message