Avoiding Weblogic basic authentication check

I want to use Acegi basic authentication filter with WLS 8.1. But weblogic doesn't allow requests which have Authorization header and no such user is configured in weblogic, although I haven't configured any security in weblogic for my web-app. How could I send username and password using basic authentication, without weblogic to check them?

You can comment out the security constraint and login config in the web.xml of your application.
<!--
<security-constraint>
    <display-name>Constraint-0</display-name>
    <web-resource-collection>
      <web-resource-name>Constraint-0</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
<login-config>
  <auth-method>BASIC</auth-method>
</login-config> -->
-Faisal
http://www.weblogic-wonders.com

Similar Messages

  • Disable weblogic basic authentication from application side

    I am using a restful service for my application and i want to disable basic authentication of weblogic from application not from config.xml
    please help

    You can comment out the security constraint and login config in the web.xml of your application.
    <!--
    <security-constraint>
        <display-name>Constraint-0</display-name>
        <web-resource-collection>
          <web-resource-name>Constraint-0</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>admin</role-name>
        </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
    <login-config>
      <auth-method>BASIC</auth-method>
    </login-config> -->
    -Faisal
    http://www.weblogic-wonders.com

  • Ignoring Http basic authentication header in wls 7.0.sp2 web service servlet (weblogic.webservice.server.servlet.WebServiceServlet)

    Hi!
    We need to implement authentication using our own methods, and the authentication
    information is provided to the web service implementation in a basic authentication
    header. The problem is, that the servlet
    weblogic.webservice.server.servlet.WebServiceServlet, which handles web services
    in
    wls 7.0.sp2, always attempts to perform authentication, if the header is present.
    Is there any way to circumvent this, because we want to implement authentication
    on our own?
    I already know two workarounds:
    The best would of course be to implement a custom security realm for our own
    authentication system. This is not an option, implementing an own security
    realm is overkill for this specific web service.
    The other way would be to route the requests by way of a custom servlet, which
    would
    remove the basic authentication header, and put the authentication info in custom
    headers, such as x-auth: <user:password>, or smthng similar, and after successful
    authentication, make a call to bea's servlet weblogic.webservice.server.servlet.WebServiceServlet.
    But still, I'd like to know if there is any way to tell bea's servlet to ignore
    the basic
    authentication header?
    Oh yeah, by the way, this is URGENT, as always. (really!! ;)
    Toni Nykanen

    Currently there is no option to turn off security check.
    I think you can use a servlet filter mapped to the URL
    of your service, instead of a proxy servlet?
    Regards,
    -manoj
    http://manojc.com
    "Toni Nykanen" <[email protected]> wrote in message
    news:3ef1577b$[email protected]..
    >
    Hi!
    We need to implement authentication using our own methods, and theauthentication
    information is provided to the web service implementation in a basicauthentication
    header. The problem is, that the servlet
    weblogic.webservice.server.servlet.WebServiceServlet, which handles webservices
    in
    wls 7.0.sp2, always attempts to perform authentication, if the header ispresent.
    Is there any way to circumvent this, because we want to implementauthentication
    on our own?
    I already know two workarounds:
    The best would of course be to implement a custom security realm for ourown
    authentication system. This is not an option, implementing an own security
    realm is overkill for this specific web service.
    The other way would be to route the requests by way of a custom servlet,which
    would
    remove the basic authentication header, and put the authentication info incustom
    headers, such as x-auth: <user:password>, or smthng similar, and aftersuccessful
    authentication, make a call to bea's servletweblogic.webservice.server.servlet.WebServiceServlet.
    >
    But still, I'd like to know if there is any way to tell bea's servlet toignore
    the basic
    authentication header?
    Oh yeah, by the way, this is URGENT, as always. (really!! ;)
    Toni Nykanen

  • How to avoid weblogic changing of the sessionid after authentication

    Hi all,
    I would like to know if there is a way to avoid weblogic changing the session after having called j_security_check and thus after having been authenticated.
    I would like to use the same session before and after the authentication process.
    Is it possible? Is there any configuration option?
    Thanks in advance,
    Riccardo

    ok, then:
    you need to make sure that while your doing this the system (R/3) is locked for users...if this isn't possible do it on the most calm moment (like the weekend or public holiday)...
    if you are at this moment :
    run the v/3 update job for appl 12. (empty update queue)
    run the delta ip twice (empty delta queue and repeat)
    before you import you can use program RMCSBWCC to check for any table not yet empty...
    all R/3 structures are empty now. You can import your modifications. Your delta will continue with any problem...
    However, the delta will not pick up the history of the new fields, of course...
    if you need the history for the new fields, there you need to do a full init...or start with all kind of extra dso and so on...this topic has been discussed many times on the forum, you can find many posts on it
    M.

  • Weblogic server BASIC Authentication not prompting for username

    I created a very simple Weblogic 10.3.5 web application with BASIC Authentication that for some reason doesn't prompt for the username and password. I believe the web.xml and weblogic.xml are created properly. The entire application is below.
    It consists of two files:
    index.html -- that anyone should be able to load
    remoteuser.jsp -- that only people in 'group' should be able to load
    I added an <auth-constraint> for all JSPs (*.jsp), such that only users in 'group' should be able to load them. However, when I load the url "/remoteuser.jsp", it displays "The remote user is null", and doesn't prompt for a username and password. The causes the JSP to also print out null instead of the remote user's name.
    The <auth-method> is, of course, set to BASIC.
    I currently don't even have any groups defined in Weblogic's Security Realm, because I want to watch it fail first.
    According to this Weblogic documentation (http://docs.oracle.com/cd/E15051_01/wls/docs103/security/thin_client.html#wp1037337), I believe that I'm doing everything correctly.
    Do I have to modify the Weblogic Security Realm's Authentication Provider? Or some other setting?
    I know that I'm doing something silly, but can't see it. Please help!
    SOURCE FILES
    web.xml
    <web-app>
    <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    </welcome-file-list>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>JSPs</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>group</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
    <role-name>group</role-name>
    </security-role>
    </web-app>
    weblogic.xml
    <weblogic-web-app>
    <security-role-assignment>
    <role-name>group</role-name>
    <principal-name>group</principal-name>
    </security-role-assignment>
    </weblogic-web-app>
    remoteuser.jsp
    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Remote User</title>
    </head>
    <body>
    <p>
    Only users in "group" should be able to load this page.
    </p>
    <p>
    The remote user is <%= request.getRemoteUser() %>
    </p>
    </body>
    </html>
    index.html
    <html>
    <head><title>WebLogic Test</title></head>
    <body>
    Everyone should be able to see this.
    </body>
    </html>

    Hi,
    Before deploying, have you changed:
    Application properties -> Deployment
    Remove the selection from "Auto Generate and Syncronize weblogic-jdc.xml ....."
    Kind Regards

  • Basic Authentication, how to make it work?

    Your input will be highly appreciated.
    I am trying to make http basic authentication work in BEA Weblogic, and I am using
    'examplesWebApp' as my sample program. So far, I can see the browser popup dialogbox,
    but I always got authentication failure message after I gave login and password.
    Steps which I did:
    1. Start server - Start examples server which is weblogic700/samples/server/config/examples/startExamplesServer.sh
    (I am on Sun's Solaris).
    2. Start descriptor editing window -- In Management Console, select Deployment -->
    Web Applications --> examplesWebApp, then start "Edit Web Appliation Deployment Descriptors.."
    in another browser window.
    3. Login Config - In the new window, select "Web App Descriptor", then "Configure
    a new Login Config...", then select "Basic" for Auth Method , and type in "myrealm"
    for "Realm Name".
    4. Specify constraints - Select "Security Constraints", and then "Configure a new
    Security Constraint". Use "MySecurity Constraint" as the display name, and use "MyWeb
    Resource Collection" as Resource Name. Type in /* in the "Url Patterns" field.
    5. Configure a security role - Select "Security Constraints", and then "Configure
    a new Security Role". Type in Admin for "Role Name".
    6. Configure a Auth Constraint - Select "Security Constraints" --> "MySecurity Constraint",
    then "Configure a new Auth Constraint...". Click on Create button in Configuration
    tab, then move Admin from Available to Choosen column, then click on Apply
    7. Persist these changes and then restart the server
    That's all what I did, and then I use 'weblogic/weblogic' as login/password to try
    to login to http://localhost:7001/examplesWebApp/HelloWorld2. I can see the popup
    dialogbox, but I always get a failure message. By the way, weblogic/weblogic (login/password)
    always work for Management Console window.
    The user "weblogic" is a user defined in myrealm, and it is also in Administrators
    group. The role definition of "Admin" in myrealm has "Caller is a member of group
    Administrators" as one of its conditions. So my understanding is that it should work,
    but unfortunately it doesn't. I must miss some steps or part of my understanding
    may not be right.
    Hope somebody can give me some help.
    Thanks.
    Yunpeng Zhang

    Hello Abhilash,
    lets check what is the authentication selected for the Central Admin web applicaiton.
    go to CA --> Appliaction management --> manage web applicaiton --> select the central admin web app --> on the top ribbon select "Authentication Providers".
    here , verify under IIS authenticaiton settings section, which option is selected, if the basic authenticaiton check box is checked, please uncheck it and select "integrated Windows Authentication".
    if this doesnt work, 
    try unprovisioning and reprovisioning the CA usning command ..
    psconfig.exe -cmd adminvs -unprovision
    psconfig.exe -cmd adminvs -provision -port 0000 -windowsauthprovider onlyusentlm
    REF: http://technet.microsoft.com/en-in/library/cc263093(v=office.14).aspx 
    or ..
    if you have other servers in the farm, you can just start the Central Admin service on other server and stop it on the current one from "Services on server
    " option on CA.
    let me know afterwards ...
    Thanks, Noddy

  • BPEL to invoke Webservice secured with HTTP Basic authentication

    Hi All,
    Iam trying to call a Synchronous BPEL porcess from BPEL by passing HTTP basic authentication.I have done below steps to achieve this.
    1) Created Target Synchronous process ex : B
    2) Created Source Syncronous Process ex : A
    Iam trying to call B(Target) from A(source).
    3) Open Composite.xml of A(Source)
    4) Right Click on External Refernce B(Target) parter link and click Configure WS policies
    5) Under Security tab attach oracle/wss_username_token_client_policy
    6) Login to em/console
    7) Right click on A(Source) Composite and click Service/Refence Properties>>B(Target)
    8) Enter username and password under HTTP Basic Authentication.
    9)Test from em.console(when we are testing under security tab I have checked None radio button)
    So this is the Error message which is throwing.
    ==================================
    The selected operation process could not be invoked.
    An exception occured while invoking the webservice operation. Please see logs for more details.
    oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security.
    java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:570) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:298) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(AstValue.java:157) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283) at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53) at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1245) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:298) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:91) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:298) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:91) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:81) at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475) at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._invokeApplication(LifecycleImpl.java:673) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:273) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:165) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:85) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:54) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:247) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:157) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:191) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:159) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:527) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:202) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3588) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) Caused by: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emas.model.wsmgt.PortName.invokeOperation(PortName.java:712) at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:564) ... 68 more Caused by: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emSDK.webservices.wsdlapi.dispatch.DispatchUtil.invoke(DispatchUtil.java:260) at oracle.sysman.emSDK.webservices.wsdlparser.OperationInfoImpl.invokeWithDispatch(OperationInfoImpl.java:843) at oracle.sysman.emas.model.wsmgt.PortName.invokeOperation(PortName.java:664) ... 69 more Caused by: javax.xml.ws.soap.SOAPFaultException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.j2ee.ws.client.jaxws.DispatchImpl.throwJAXWSSoapFaultException(DispatchImpl.java:874) at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:707) at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.synchronousInvocationWithRetry(OracleDispatchImpl.java:226) at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.invoke(OracleDispatchImpl.java:97) at oracle.sysman.emSDK.webservices.wsdlapi.dispatch.DispatchUtil.invoke(DispatchUtil.java:256) ... 71 more
    =======================================
    Please let me know if Iam missing any steps.
    Thanks
    SSV

    Followed this post.......
    This is avery good question
    in 11g i have taken out the steps from my document which i created for one our customer
    go to composite
    Right click on the external reference service and select “Configure WS policies” :done
    Under the security tab, click add button and select “oracle/ wss_username_token_client_policy :done
    6. Now Open the property Inspector window and click the add button under “Binding properties” tab. :done
    7. Include the “oracle.webservices.auth.username--> :done
    value-->password :done
    8. Include the “oracle.webservices.auth.password”-->name :done
    value-->password :done
    Thanks
    SSV

  • Sender SOAP bypassing the basic authentication

    Hi All,
    I'm doing a SOAP to RFC scenario. Inorder to remove the basic authentication for SOAP i'm using the
    WSDL url like
    http://host:port/XISOAPAdapter/MessageServlet?channel=service:channel&sap-client&sap-user=username&sap-password=password
    but even after trying it this way its asking for the authentication.
    I would like to know, if i've to append the username and password with the url while creating the webservice from the ID or is it  just that after creating the webservice i've to apeend it when trying to access it.
    We are using pi7.0 here . So is there any change while passing the username and password .
    I knw tht this can be accomplished by editing the sda file , but thats not wat we want .
    Any kind of suggestion will be helpful.
    Thanks & Regards,
    Rahul.

    Hi,
    This may help you
    Check these words in this Blog
    Prompt for Login credentials
    When the above asp is executed in browser it prompts for User name/Password. We need to give valid username/password for XI. Until the recent patches by Microsoft there was a provision for providing login credentials directly in JavaScript (HTTP Connection).But for security risks this has been disabled in recent fixes. The Credentials need not be re-entered as long as session is not closed.
    https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1442 [original link is broken]
    Regards
    Seshagiri

  • IIS Reverse Proxy and Basic Authentication

    Hi,
    we've currently put a WebAS 6.40 serving a BSP Application in our Appl-DMZ. For the access via Web the IIS Reverse Proxy is used, which works fine as long as you use a service for which a user is provided (in SICF). But if you don't provide a user in the service (in order to debug the BSP Application) you have to authenticate yourself using Basic Authentication (Browser Popup) which does not work (the popup returns and returns ...)
    I' ve browsed the forums and it seems that the IIS Reverse Proxy does not support (the forwarding) of Basic Authentication "requests".
    So my question, does someone exactly know if the IIS Reverse proxy supports Basic Authentication or not ?
    Thanks,
    Markus

    Hello Markus,
    1. have you checked out Alon Weinstein's Weblog <a href="/people/sap.user72/blog/2005/02/23/the-reverse-proxy-series--part-2-iis-as-a-reverse-proxy">The Reverse Proxy Series -- Part 2: IIS as a reverse-proxy</a>?
    2. Is the IIS a must? Can you give Apache or SAP Web Dispatcher a try. Prakash Singh wrote a Weblog <a href="/people/prakash.singh4/blog/2005/08/16/how-to-setup-webdispatcher-to-load-balance-portal-in-a-clustered-environment">How to setup webdispatcher to load balance portal in a clustered environment</a>.
    Regards
    Gregor

  • How do I protect my JNLP, my JARs etc. (with Basic Authentication)???

    hi all,
    i know that there is a FAQ ( [see here|http://lopica.sourceforge.net/faq.html#obfuscate] ) answering a related question with "You can use an obfuscator...". ok, but is there really no other solution?
    this is the simplified folder structure of my application on the server:
    [application]
      [etc]
        xyz.xml
      [jars]
        myapp.jar
      launch.jnlp
    website.jsp
    initial start and basic authentication:*
    my first idea was to secure everything underneath "application" with basic authentication via my web.xml (yes, i'm aware of the security concerns). this means everybody can access my website (here: website.jsp) which contains a start button that links to "launch.jnlp". as soon as the user clicks on it, the browser opens its standard authentication dialog since launch.jsp is in a protected area. after entering the correct credentials the jnlp-file is downloaded and java web start takes over control. first of all it seems as it tries to access the same jnlp-file again (??? --> probably in order to check for changes in the jnlp file --> this is certainly not the case for the initial startup) and then wants to download the relevant jar (myapp.jar). because both resources are protected jws opens its own basic authentication dialog where i have to enter the same credentials the second time. as far as i know, there is no solution to pass the credentials between the browser and the jvm.
    second start and basic authentication:*
    if the user starts my application for the 2nd, 3rd, ... time via desktop-link (set in jnlp-file) there is no need for accessing my website with a browser. therefore only the authentication dialog of jws gets displayed. so far, so good!
    and now the actual problem:*
    during runtime my application (signed with verisign certificate and having all permissions) uses commons-vfs and commons-httpclient to access resources on the same server (e.g. etc/xyz.xml). since they're underneath the protected "application" directory as well, my application needs the same credentials the user already entered in the authentication dialog of jws. now i could retrieve these credentials by calling Authenticator.requestPasswordAuthentication() within my application and passing them to vfs and httpclient. however, doing so opens up jws' authentication dialog again. grrr!!! is there a way to prevent this?
    related thougts:*
    i know i could disable jws' default Authenticatior and set my own Authenticator which might be able to return already entered credentials without opening the dialog a second time. however, it seems that even with <property name="javaws.cfg.jauthenticator" value="none" /> jws still opens its own dialog when acessing the JNLP file and the relevant JARs during the startup/download phase. of course, who else if not jws could handle that phase? my application might not even be downloaded at this point. so i guess setting my own Authenticator would not be a solution either (at least not if i want to secure my jnlp and my jars, too). quite the contrary, it would have to open another dialog... :-(
    my current solution:*
    for the moment i use jws' default Authenticatior which allows me to easily protect all my stuff on the server side (jnlp, jar, etc). i can live with the two login dialogs at the initial startup. and instead of querying the credentials from jws' default Authenticatior at runtime, i set two system properties for username and password in the (protected) jnlp-file, query them at runtime and hand it to vfs and httpclient. this prevents the 2nd (or 3rd) dialog but is definitely not a great solution. most of all i'm not happy with the fact that this somehow "destroys" the container-based security advantage of easily configuring authorized users via a separate mechanism e.g. tomcat-users.xml. now there has to be one master-password that has to be set in the jnlp-file! grrr!
    a possible alternative:*
    i'm not sure but would it be better to secure everything with form-based authentication on the website, and dynamically generate username and password into the jnlp-file? but what happens when the admin changes the password on the server and the user starts its application via desktop-link??? in case of basic authentication i think jws would popup the login dialog again. however, if i use the old username and password generated into the jnlp it won't work. i think the user then has to access the website again. this is not good at all! :-(
    the only real solution:*
    should i write a small application which can be downloaded by everybody and on startup queries the user's credentials, validates them with the help of our server, and uses the javax.jnlp-api to download the secured JARs of my real application? this seems so much overkill! does anybody have experiences with this approach? how difficult is it to implement the whole download/update stuff with javax.jnlp?
    WHAT HAVE I MISSED???
    AM I COMPLETELY WRONG???
    WHAT IS THE EASIEST WAY???
    AND WHAT IS THE BEST WAY???
    thank you so much,
    stephan

    Not sure, whether I understood correctly, what you wanna do - but up to now I can't see any problem.
    if you have a structure like this:
    /ctxroot/
           launch.jnlp
           /app/
               *.jar
               *.whateveryou may use in your web.xml:
         <servlet>
              <servlet-name>JnlpDownloadServlet</servlet-name>
              <servlet-class>jnlp.sample.servlet.JnlpDownloadServlet</servlet-class>
         </servlet>
         <servlet-mapping>
              <servlet-name>JnlpDownloadServlet</servlet-name>
              <url-pattern>*.jnlp</url-pattern>
              <url-pattern>/app/*</url-pattern>
         </servlet-mapping>
         <security-constraint>
              <web-resource-collection>
                   <web-resource-name>Application</web-resource-name>
                   <url-pattern>/app/*</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
                   <role-name>bla</role-name>
                   <role-name>fahsel</role-name>
              </auth-constraint>
              <user-data-constraint>
                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
         </security-constraint>
         <security-constraint>
              <web-resource-collection>
                   <web-resource-name>Subscription</web-resource-name>
                   <url-pattern>*.jnlp</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
         </security-constraint>
         <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>whatever-realm</realm-name>
         </login-config>
         <security-role><role-name>bla</role-name></security-role>
         <security-role><role-name>fahsel</role-name></security-role>
    ...Than you may use the Service stuff like:
         BasicService bs = (BasicService)ServiceManager.lookup("javax.jnlp.BasicService");
         URL codeBase = bs.getCodeBase();
         URL pu = new URL(codeBase.toString() + "whatever.bla");
         HttpURLConnection res = (HttpURLConnection) pu.openConnection();
         res.setInstanceFollowRedirects(true);
         res.setRequestMethod("GET");
         res.setConnectTimeout(10 * 60 * 1000);
         res.connect();
         String enc = res.getContentType();
    ...Where is the problem? If you wanna intercept certain "calls" to an app resource, just use a filter, which decides, whether to answer the request directly by itself or to pass it to the JnlpDownloadServlet ...

  • How to call a web service from BPEL that requires HTTP basic authentication

    Hi All,
    I need to calling some Web Services from BPEL (SOA 10.1.3.1 production running on XP machine). The services require HTTP basic authentication.
    I have tried adding httpUsername and httpPassword properties to the ParnterLink, and I see in BPEL Console that they are deployed by checking the descriptor page. But I still get a SOAP fault, HTTP 401: Unathenticated.
    I have also tried using basicHeaders (from memory) = credentials, httpBasicUsername, and httpBasicPassword. Same result.
    I have done a packet trace using Ethereal, and the headers do not seem to contain the userid and password at all.
    Can anyone help?
    Thanks,
    Mark Nelson

    Thanks Bas,
    I have resolved the issue. The provider of the Web Service had not configured if for Basic Authentication. For some reason it worked when they tested, or maybe the did not test. The only thing I had to change was to use:
    <property name="basicHeaders">credentials</property>
    <property name="basicUsername">WMDATA</property>
    <property name="basicPassword">WMDATA</property>
    Instead of:
    <property name="httpUsername">WMDATA</property>
    <property name="httpPassword">WMDATA</property>
    I don’t know why this is, maybe because it is an Axis Web Service.
    Sorry for wasting your time.
    Regards Pete

  • Securing Web Applications by HTTP Basic Authentication

    We are working on providing security for web applications in Webdynpro.We downloaded the material from net regarding this.In that it was mentioned to open the webdynpro project's web.xml file in the Netweaver Developer Studio.In the material,we are asked to click the General  TAb and check "Login Configuration".But there is no such checkbox in our general tab screen.Also many tabs are missing like Context,Resources,mapping,Environment,EJB's,Web objects.How to enable/display these tabs?Is there any means of setting properties in the server to get these tabs?
    regards,
    J.Iswaryal
    K.Brinda

    Hi J.Iswaryal,
    I guess two things based on your post.
    1. You have created one wer service and you want to make secure this web service using HTTP basic authentication.
    2. You have such wweb service and you want to consume this web service lets say in webdynpro application.
    <b>For, point one,</b>
    After creating web service goto webservice perspective in NWDS. there, choose your web service project.
    Now, open Web service configuration file recided in your project.
    Here, go under config1-> security and double click on it.
    It will display security options for this web service.
    Choose transport protocol as HTTP, Authentication mechanism as HTTP authentication and choose Basic radio button.
    Now, save this, rebuild this and deploy on server.
    <b>For point 2,</b>
    Make model for your web service.
    before calling your web service, set your username and password in code as shown below.
    wdContext.current<web service model node>element().modelobject()._setusername(<username>);
    wdContext.current<web service model node>element().modelobject()._setPassword(<password>);
    Rehards,
    Bhavik

  • 11G Modplsql Basic Authentication not working for globally identified database users

    I have a modplsql dad that uses Basic authentication.  When I supply a username and password where the database user is locally defined in the database using the "identified by" syntax the authentication works perfectly and the modplsql app works.  When I try to authenticate a database user that is defined in the database using the "identified globally" syntax authentication fails.  Any idea on how to get modplsql app to work with users identified via OID?
    Thanks,
    Phil

    Hi,
    Before deploying, have you changed:
    Application properties -> Deployment
    Remove the selection from "Auto Generate and Syncronize weblogic-jdc.xml ....."
    Kind Regards

  • Basic authentication not working for portal application

    HI All,
    i have a portal application where I have a servlet. i want to use basic authentication for this servlet.
    to archive this i have followed http://docs.oracle.com/cd/E14571_01/web.1111/b31974/adding_security.htm
    and configured basic authentication, also add web-resource in web.xml for the url to access the servlet.
    my web.xml look like (copied is only security section from web.xml)
    <security-constraint>
        <web-resource-collection>
          <web-resource-name>adfAuthentication</web-resource-name>
          <url-pattern>/adfAuthentication</url-pattern>
        </web-resource-collection>
        <web-resource-collection>
          <web-resource-name>All</web-resource-name>
          <url-pattern>/faces/Auto-connect</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>valid-users</role-name>
        </auth-constraint>
      </security-constraint>
      <login-config>
        <auth-method>BASIC</auth-method>
      </login-config>
      <security-role>
        <role-name>valid-users</role-name>
      </security-role>
    this works when in run the application in JDeveloper i.e. when i try to access http://localhost:7101/MyApp/faces/Auto-connect it ask for basic authentication (the popup) and when i access http://localhost:7101/MyApp/ it takes me to home page for login , but doesn't work when i deploy the application in weblogic 11g.(deployment done using Enterprise Manager console (EM console) (for both URL no popup).
    i tried Google around it but didn't get any solution please provide your input and guide me.
    thanks
    -somesh

    Hi,
    Before deploying, have you changed:
    Application properties -> Deployment
    Remove the selection from "Auto Generate and Syncronize weblogic-jdc.xml ....."
    Kind Regards

  • Weblogic security authentication; question to interact with the realm

    Hi, I have a quick question about weblogic security authentication....
    We are using weblogic 81sp3. We have user-group info in an Novell eDirectory LDAP server.
    Currently, a Novell Authenticator provider is configured under : Security > Realms > myRealm > Providers > Authentication This tells Weblogic from where to get the user and groups. Weblogic caches this information of the logged on users for certain time ( example : 60 secs ) after which it cleans the cache for all inactive users. We want to interact with the Weblogic cache. Add more user profile information to this cache and use it in our application .
    Does somebody know how to programmatically interact with Weblogic user-group cache - read , write , update and delete user-group info in cache and control time to live for the cache ?

    already checked
    TTLCache class which weblogic provides. But they seem to depracetd it
    help ?

Maybe you are looking for