Return-Path: Delivered-To: apmail-ws-axis-user-archive@www.apache.org Received: (qmail 37898 invoked from network); 28 Apr 2006 15:34:53 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 28 Apr 2006 15:34:53 -0000 Received: (qmail 18646 invoked by uid 500); 28 Apr 2006 15:34:44 -0000 Delivered-To: apmail-ws-axis-user-archive@ws.apache.org Received: (qmail 18630 invoked by uid 500); 28 Apr 2006 15:34:44 -0000 Mailing-List: contact axis-user-help@ws.apache.org; run by ezmlm Precedence: bulk Reply-To: axis-user@ws.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list axis-user@ws.apache.org Received: (qmail 18618 invoked by uid 99); 28 Apr 2006 15:34:44 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Apr 2006 08:34:44 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [80.84.72.33] (HELO mail3.uklinux.net) (80.84.72.33) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Apr 2006 08:34:43 -0700 Received: from [127.0.0.1] (unknown [65.172.4.92]) by mail3.uklinux.net (Postfix) with ESMTP id 5B85140A0C0 for ; Fri, 28 Apr 2006 15:34:18 +0000 (UTC) Message-ID: <445235F2.8080807@caboose.org.uk> Date: Fri, 28 Apr 2006 16:34:10 +0100 From: Kevin O'Rourke User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: axis-user@ws.apache.org Subject: Re: Making Axis work with HTTP/Basic authentication and a VB.Net client References: <4450DF76.4080700@caboose.org.uk> <4451C3C5.8090901@caboose.org.uk> In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N I tried just issuing a fault, but that seemed to send a SOAP Fault back to the client rather than sending a 401. Maybe I need to send a particular fault code? By the way, I'm using Axis 1.3. I've got it working just now in what seems like a bit of a hack, modifying HttpAuthHandler to send a 401 if the username and password are missing: String tmp = (String)msgContext.getProperty(HTTPConstants.HEADER_AUTHORIZATION); if ( tmp != null ) tmp = tmp.trim(); if ( tmp != null && tmp.startsWith("Basic ") ) { ... } else { HttpServletResponse response = (HttpServletResponse)msgContext.getProperty( HTTPConstants.MC_HTTP_SERVLETRESPONSE); response.addHeader("WWW-Authenticate", "Basic realm=\"NtiAuth\""); try { response.sendError(HttpServletResponse.SC_UNAUTHORIZED); } catch (IOException e) { throw AxisFault.makeFault(e); } } I'm using an underlying Servlet method to send the error, is this allowed from an Axis web service? It seems to work but I'm worried that it may cause mysterious bad things to happen. Kevin. Rich Rodriguez wrote: > My authentication handler is just an modified version of the > SimpleAuthenticationHandler that ships with Axis to hit my user table. > To be honest, I'm not totally clear on the interaction between that > handler and the HttpAuthHandler. My auth handler issues a fault if the > user and password are not in the context, and Axis issues a 401 to the > client. > > On 4/28/06, *Kevin O'Rourke* > wrote: > > Thanks for the information. Just to be sure I understand: > - you have written your own AuthenticationHandler class and added it as > a handler in server-config.wsdd > - you have added the HTTPAuthHandler to the "http" transport flow in > server-config.wsdd > - in your services' .wsdd file you have added the "Authenticate" handler > to the request flow. > > Is that correct? > > So it looks like I need to write my own handler class to send back a > 401 > error to the client if no username and password are supplied. > > I would have expected that functionality to be part of the > HTTPAuthHandler, seeing as it's a part of HTTP/Basic authentication. > > Rich Rodriguez wrote: > > The auth handler I have is defined outside the service as: > > > > > type="java:my.custom.AuthenticationHandler"/> > > > > The transport request flow is defined as: > > > > > > > > > type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/> > > > > > > And each service has a request flow of: > > > > > > > > > > > > > > On 4/27/06, *Kevin O'Rourke* > > >> wrote: > > > > I'm trying to do authentication for my Axis web service using > HTTP/Basic > > over SSL, as this seemed to be the easiest option. The client is > > written in Visual Basic .Net 2005. > > > > I've added the HTTPAuthHandler to my WSDD file: > > ... > > > > > > > > > > > > > > > > > > > > ... > > > > However no authentication is happening. The VB.Net client > seems to be > > waiting for a "401 WWW-Authenticate Basic" error from the > server, to > > indicate that the server wants authentication. Axis isn't > sending a > > 401 > > but is instead just happily giving me a null username and > password. > > > > Does anyone know how I can persuade Axis to send back a 401 error? > > > > Kevin > > > > > >