Basic auth interop problem, servlet WS works, EJB WS not (Sun AS 8)
After spending some time I managed to add HTTP basic auth to a simple web service. I have implemented two variants, an JAX-RPC servlet web service and an EJB web service.
A (Sun) JAX-RPC client works pretty well against both web services. I do the required steps with the stub (set user/pwd) and things work. I do get the correct principal in the server side, fine.
When I do NOT set the authentication properties at the stub, the servlet based WS responds something like HTTP error 403 (?) or so, which leads to "authentication required". The EJB based response is not that adequate, it's something like "internal server error, EJBLocalAccessException or so" but from the given message you could get the idea what's wrong.
Anyway, I got the impression that this stuff
return HTTP error to flag "auth required"
is not happening for some reason in my EJB based web service. I found this problem in Sun AS 8 and I think it's the same problem when I test stuff with Oracle's OC4J ...
Some client implementations have obviously problems to get the idea that user authentication is required. In other words, the clients cannot invoke the EJB WS. I tried it with Perl Soap::Lite, MS SOAP Toolkit 3.0 and MS .Net 1.1 stuff. All this clients work well (with authentication) when I consume the servlet based web service. But the EJB based web service is not working at all. I do get there just "not allowed" and the SOAP client runtime is not handing over any user credentials (because it's obviously not correctly asked for it by an appropriate AS response).
Anyone else experienced this problems with EJB WS???
Interesting question: why is the JAX-RPC client working? Is it sending the properties set at the stub in any case? Or do they "handle" the internal error coming from Sun AS explicitly or so? Strange, in a way. :-)
Thanx for any help here!
Merten
I guess the reason was that I wrote
<login-config>
<auth-method>Basic</auth-method>
</login-config>
instead of required
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
At deploy time, I got no error message. At usage time, I just got this AccessLocalException. That's not really nice ...
Merten
Similar Messages
-
Form auth problem? action work but link not work??
Hi all,
I try to use form auth to securite my site, but I have problem at
my login page is point to formlogin servlet , I use
getServletContext().getRequestDispatcher
("/secure/search2.html");to sdirect all correct login action to my sequences.html file and have group of action, jump to other page,this step work fine. but the problem my search1 file also on my secure folder , when I click the search1 link it jump to login page. what is wrong ?? is because I have
<url-pattern>/secure/*</url-pattern>in my web xml page? or other problems?
how to deal with it ? by the way I have some duck dollars left , but i can't use it , why??
and how to dealJulio,
Good point. Exactly why I recommend not to use referenced code. libraries are the only way to go when sharing forms code. Just to many headaches when using referenced code.
Just my 2c.
--pat -
Apache bridge & Basic Auth does not work
The WebLogic newsgroups are not the appropriate place to file product defect
reports.
I suggest that you file a bug report with our support organization. Be sure
to include a complete test case. They will also need information from
you -- please review our external support procedures:
http://www.beasys.com/support/index.html
Thanks,
Michael
Michael Girdley
Product Manager, WebLogic Server & Express
BEA Systems Inc
Jaroslav Mechacek <[email protected]> wrote in message
news:[email protected]..
>
I tried mod_wl with apache 1.3.12 ( mod_ssl / openssl ) ,
but the basic auth does not work.
When apache starts it complains that mod_lw uses plain apache api
Tue May 16 17:29:54 2000] [warn] Loaded DSO libexec/mod_wl.so uses plain
Apache 1.3 API, this module might crash under EAPI! (please recompile it
with -DEAPI)
When I request protected page, apache returns both
HTTP/1.1 200 OK , HTTP/1.1 401 Unauthorized
what apache / ssl configurations are known to work ?
Escape character is '^]'.
GET /file/index.html HTTP1.0
HTTP/1.1 200 OK
Date: Tue, 16 May 2000 14:47:01 GMT
Server: Apache/1.3.12 (Unix) mod_ssl/2.6.4 OpenSSL/0.9.5a
HTTP/1.1 401 Unauthorized xxx:
www-authenticate: Basic realm="WebLogic Server"
content-length: 23
content-type: text/html
connection: Close
No credentials supplied -
Basic auth in proxy server breaks managed server form auth
Hi,
I have a proxy server configured in front of 2 managed servers.
The managed servers have secure pages and are using form auth and the
proxy server is working properly. In other words, I point my browser
at the proxy and I end up being services by one of the managed servers.
If I attempt to access a secure page via the proxy I am sent to the form
login page via the proxy.
Now for the problem:
If I configure the proxy server to use basic auth, and secure all
pages in the proxy, I must provide my userid/password to the proxy
server (this is working fine) before I can get to one of the managed
servers. I can get to the welcome page of the managed server (which is
not secure) There is a link to a secure page on the welcome page. When
I click on the link to the secure page, I am sent to the form auth by
the managed server. I authenticate, but I can never see the secure
page. I end up being redirected to the form login page endlessly.
Both the proxy server and the managed server are usign the default
JSESSIONID.
Here is a section of the web.xml for the proxy server:
<servlet>
<servlet-name>HttpClusterServlet</servlet-name>
<servlet-class>weblogic.servlet.proxy.HttpClusterServlet</servlet-class>
<init-param>
<param-name>WebLogicCluster</param-name>
<param-value>${ProxyConfig}</param-value>
</init-param>
<init-param>
<param-name>SecureProxy</param-name>
<param-value>ON</param-value>
</init-param>
<init-param>
<param-name>Debug</param-name>
<param-value>ON</param-value>
</init-param>
<init-param>
<param-name>DebugConfigInfo</param-name>
<param-value>ON</param-value>
</init-param>
<init-param>
<param-name>CookieName</param-name>
<param-value>JSESSIONID</param-value>
</init-param>
<init-param>
<param-name>CookieName</param-name>
<param-value>wlauthcookie_</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>gcmgui/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>applauncher/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>ssoadmin/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>default/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>domainadmin/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>gsc/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>psr/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>broadcastclient/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>nra/*</url-pattern>
</servlet-mapping>
Here is the proxy debug:
<Fri Jul 11 14:40:07 EDT 2003>: ===New Request===GET
/applauncher/jsp/AppLaunche
r.jsp HTTP/1.1
<Fri Jul 11 14:40:07 EDT 2003>: Found cookie: Sf4VoFtpQwG]dTNEh9Yq
<Fri Jul 11 14:40:07 EDT 2003>: #### Trying to connect with server
-213061352!10
.68.10.87!1080!10443
<Fri Jul 11 14:40:07 EDT 2003>: Remove idle for '30' secs:
ProxyConnection(isSec
ureProxy=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:07 EDT 2003>: Create connection:
ProxyConnection(isSecureProxy
=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:07 EDT 2003>: In-bound headers:
<Fri Jul 11 14:40:07 EDT 2003>: Accept: image/gif, image/x-xbitmap,
image/jpeg,
image/pjpeg, application/vnd.ms-excel, application/msword,
application/vnd.ms-po
werpoint, */*
<Fri Jul 11 14:40:07 EDT 2003>: Accept-Language: en-us
<Fri Jul 11 14:40:07 EDT 2003>: Accept-Encoding: gzip, deflate
<Fri Jul 11 14:40:07 EDT 2003>: User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; W
indows NT 4.0; H010818)
<Fri Jul 11 14:40:07 EDT 2003>: Host: localhost:18002
<Fri Jul 11 14:40:07 EDT 2003>: Connection: Keep-Alive
<Fri Jul 11 14:40:07 EDT 2003>: Cookie:
JSESSIONID=1PEosMJQ9ZJrewjj1t5nZfNtYe1e5
pWYbjyBGvZ1ExEY8YoueKTG!-213061352!NONE;
wlauthcookie_=Sf4VoFtpQwG]dTNEh9Yq
<Fri Jul 11 14:40:07 EDT 2003>: Authorization: Basic
cmFwcGVsYmE6b3V0Mmx1bmNo
<Fri Jul 11 14:40:07 EDT 2003>: HTTP/1.1 302 Moved Temporarily
<Fri Jul 11 14:40:07 EDT 2003>: Out-bound headers:
<Fri Jul 11 14:40:07 EDT 2003>: Date: Fri, 11 Jul 2003 18:40:07 GMT
<Fri Jul 11 14:40:07 EDT 2003>: Location:
https://localhost:18002/applauncher/un
restricted/jsp/FormLogin.jsp
<Fri Jul 11 14:40:07 EDT 2003>: Server: WebLogic WebLogic Server 8.1
Thu Mar 20
23:06:05 PST 2003 246620
<Fri Jul 11 14:40:07 EDT 2003>: Transfer-Encoding: Chunked
<Fri Jul 11 14:40:07 EDT 2003>: ===New Request===GET
/applauncher/unrestricted/j
sp/FormLogin.jsp HTTP/1.1
<Fri Jul 11 14:40:07 EDT 2003>: Found cookie: UZ]OrXsBP6uEEa[0veSz
<Fri Jul 11 14:40:07 EDT 2003>: Request successfully processed
<Fri Jul 11 14:40:07 EDT 2003>: #### Trying to connect with server
-213061352!10
.68.10.87!1080!10443
<Fri Jul 11 14:40:07 EDT 2003>: Requeue connection:
ProxyConnection(isSecureProx
y=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:07 EDT 2003>: Recycle connection:
ProxyConnection(isSecureProx
y=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:07 EDT 2003>: Request successfully processed
<Fri Jul 11 14:40:07 EDT 2003>: In-bound headers:
<Fri Jul 11 14:40:07 EDT 2003>: Accept: image/gif, image/x-xbitmap,
image/jpeg,
image/pjpeg, application/vnd.ms-excel, application/msword,
application/vnd.ms-po
werpoint, */*
<Fri Jul 11 14:40:07 EDT 2003>: Accept-Language: en-us
<Fri Jul 11 14:40:07 EDT 2003>: Accept-Encoding: gzip, deflate
<Fri Jul 11 14:40:07 EDT 2003>: User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; W
indows NT 4.0; H010818)
<Fri Jul 11 14:40:08 EDT 2003>: Host: localhost:18002
<Fri Jul 11 14:40:08 EDT 2003>: Connection: Keep-Alive
<Fri Jul 11 14:40:08 EDT 2003>: Authorization: Basic
cmFwcGVsYmE6b3V0Mmx1bmNo
<Fri Jul 11 14:40:08 EDT 2003>: Cookie:
JSESSIONID=1PEHvo1gQIbwOMuVsU9pJnnvlGBSP
74ZUcSHwazE7domCL8UlVA2!-937872307; wlauthcookie_=UZ]OrXsBP6uEEa[0veSz
<Fri Jul 11 14:40:08 EDT 2003>: HTTP/1.1 200 OK
<Fri Jul 11 14:40:08 EDT 2003>: Out-bound headers:
<Fri Jul 11 14:40:08 EDT 2003>: Date: Fri, 11 Jul 2003 18:40:08 GMT
<Fri Jul 11 14:40:08 EDT 2003>: Server: WebLogic WebLogic Server 8.1
Thu Mar 20
23:06:05 PST 2003 246620
<Fri Jul 11 14:40:08 EDT 2003>: Content-Length: 4238
<Fri Jul 11 14:40:08 EDT 2003>: Set-Cookie:
JSESSIONID=1PEIxJ21oT5H3Z2ilQjPqpq1V
kdOhEnNbbz9wviTtTTZj6IBp29b!-213061352!NONE; path=/
<Fri Jul 11 14:40:08 EDT 2003>: Request successfully processed
<Fri Jul 11 14:40:08 EDT 2003>: Requeue connection:
ProxyConnection(isSecureProx
y=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:08 EDT 2003>: Request successfully processed
<Fri Jul 11 14:40:44 EDT 2003>: Trigger remove idle for '35' secs:
ProxyConnecti
on(isSecureProxy=true): 10.68.10.87:10443, keep-alive='30'secs
Thanks,
RobI typically have used Apache Commons HttpClient for anything but trivial URL connections, and especially when combining both basic auth and proxy auth. When you use it, be aware of the "preemptive authentication" flag. One server I worked with didn't send the correct parameters back on particular requests, so I had to turn on this flag to get it to work.
-
Dynamic proxy invokes basic auth web service
My dynamic proxy client works fine with any web service except the basic auth secured one.
I know how to use stub client to work around this issue. But I haven't found a way to get around when dynamic proxy clients are used.
Any idea is appricated. ThanksPaula-
Given that you can work around this issue with the stub client,
you should be able to work around the issue in the dynamic proxy client
in the same way-
I am interested that you say workaround the issue with the stub client.
Is there a problem that you have noted?
If you can let me know how you worked this issue with the stub,
and what problems you have specifically had with the dynamic proxy client
I will look at the issue to see if it a bug.
Please let me know what environment you are working in, the version of jaxrpc 1.x,
what container, jdk or jre and a sample client program that would help me understand
the problem.
Thanks,
Kathy -
Basic auth with RESTful WEb service and Web Service reference
Hi, All,
We have made much progress on getting an application working wtih RESTful web services but now are trying to figure out how to lock down a RESTful Web service while making it available for a particular application.
We are using one of the sample 'emp' table web services that come with Apex 4.2 and are trying to apply Basic Auth to the WEb Service via Weblogic filter defined in the web.xml file. That works fine. I now get challenged when I try to go to :
https://wlogic.edu/apex/bnr/ace/hr/empinfo/
And when I authenticate to that challenge I am able to get the data. (we are usiing LDAP authentication at the Weblogic level)
However, I am not sure how to get same basic authentication to work with the Web Service reference in my application. I see the error message in the application when I try to call that Web Service:
401--Unauthorized<
And I see:
"The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials"
How do I provide the credentials in the Web REference or do I provide credentials in the Application?
Web service works fine if I remove the RESTful web service basic auth from the Web.xml file.
Should we NOT use Weblogic basic auth and instead use basic auth from Workspace RESTful web service definition. If so, how do we implement THAT basic auth in the Web Service definition and in the Web SErvice Reference on the application?
Thanks,
PatWhat I mean is diid you try to use the PL/SQL package for APEX webservice. Here is an example I use (modified and shortened, just to show how much better this is than to use it from the application).
CREATE OR REPLACE PACKAGE webservice_pkg
IS
PROCEDURE create_webservice (
p_id IN NUMBER,
p_message OUT VARCHAR2,
p_workspace IN VARCHAR2 DEFAULT 'MY_WORKSPACE',
p_app_id IN NUMBER DEFAULT v ('APP_ID'),
p_app_session IN VARCHAR2 DEFAULT v ('SESSION'),
p_app_user IN VARCHAR2 DEFAULT v ('APP_USER')
END webservice_pkg;
CREATE OR REPLACE PACKAGE BODY webservice_pkg
IS
PROCEDURE set_credentials (
p_workspace IN VARCHAR2,
p_app_id IN NUMBER,
p_app_session IN VARCHAR2,
p_app_user IN VARCHAR2
IS
v_workspace_id NUMBER;
BEGIN
SELECT workspace_id
INTO v_workspace_id
FROM apex_workspaces
WHERE workspace = p_workspace;
apex_util.set_security_group_id (v_workspace_id);
apex_application.g_flow_id := p_app_id;
apex_application.g_instance := p_app_session;
apex_application.g_user := p_app_user;
END set_credentials;
PROCEDURE create_webservice (
p_id IN NUMBER,
p_message OUT VARCHAR2,
p_workspace IN VARCHAR2 DEFAULT 'MY_WORKSPACE',
p_app_id IN NUMBER DEFAULT v ('APP_ID'),
p_app_session IN VARCHAR2 DEFAULT v ('SESSION'),
p_app_user IN VARCHAR2 DEFAULT v ('APP_USER')
IS
v_envelope VARCHAR2 (32000);
v_server VARCHAR2 (400);
v_url VARCHAR2 (4000);
v_result_url VARCHAR2 (1000);
v_collection_name VARCHAR2 (40) := 'PDF_CARD';
v_message VARCHAR2 (4000);
v_xmltype001 XMLTYPE;
BEGIN
v_url := v_server || '.myserver.net/services/VisitCardCreator?wsdl';
FOR c IN (SELECT *
FROM DUAL)
LOOP
v_envelope :=
'<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" '
|| 'xmlns:bran="http://www.myaddress.com">'
|| CHR (10)
|| '<soapenv:Header/><soapenv:Body>'
|| CHR (10)
|| '<parameter:'
|| 'some_value'
|| '>'
|| CHR (10)
|| '<bran:templateID>'
|| p_id
|| '</bran:templateID>'
|| '</soapenv:Body>'
|| CHR (10)
|| '</soapenv:Envelope>';
END LOOP;
set_credentials (p_workspace, p_app_id, p_app_session, p_app_user);
BEGIN
apex_web_service.make_request
(p_url => v_url,
p_collection_name => v_collection_name,
p_envelope => v_envelope
p_message := 'Some message.';
EXCEPTION
WHEN OTHERS
THEN
v_message :=
v_message
|| '</br>'
|| 'Error running Webservice Request. '
|| SQLERRM;
END;
BEGIN
SELECT v_result_url
|| EXTRACTVALUE (VALUE (t),
'/*/' || 'Return',
'xmlns="http://www.myaddress.com"'
xmltype001
INTO v_result_url,
v_xmltype001
FROM wwv_flow_collections c,
TABLE
(XMLSEQUENCE (EXTRACT (c.xmltype001,
'//' || 'Response',
'xmlns="http://www.myaddress.com"'
) t
WHERE c.collection_name = v_collection_name;
EXCEPTION
WHEN OTHERS
THEN
v_message := v_message || '</br>' || 'Error reading Collection.';
END;
EXCEPTION
WHEN OTHERS
THEN
p_message := v_message || '</br>' || SQLERRM;
END create_webservice;
END webservice_pkg;
/If you use it this way, you will find out what the problem is much faster.
Denes Kubicek
http://deneskubicek.blogspot.com/
http://www.apress.com/9781430235125
http://apex.oracle.com/pls/apex/f?p=31517:1
http://www.amazon.de/Oracle-APEX-XE-Praxis/dp/3826655494
------------------------------------------------------------------- -
HTTP Basic Auth and Proxy Auth
Hi,
i have a problem with the authentication against a proxy server and against a content provider. At first I have to authenticate against the proxy to get "free internet". The next step is to authenticate against the content provider to get a html or xml file.
The following source code runs very good in Eclipse, i.e. as JUnitTest. But If I execute the same code within a weblogic server, I will get an error (not authenticated). I believe I get this message from the content provider and not from the proxy because If I test this code within the weblogic server and with no authentication (i.e. google needs no authentication), I will get a valide xml/html file.
StringBuffer sb = new StringBuffer();
SimpleAuthenticator simple = new SimpleAuthenticator("joeuser","a.b.C.D"); //from openbook
Authenticator.setDefault(simple);
String strUrl = "http://www.rahul.net/joeuser/";
URL url = null;
try {
url = new URL(strUrl);
} catch (MalformedURLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
URLConnection conn = null;
InetSocketAddress addr = new InetSocketAddress("proxy.domain",8080);
Proxy proxy = new Proxy(Proxy.Type.HTTP, addr);
try {
conn = url.openConnection(proxy);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
String proxyStr = "username" + ":" + "passwordl";
String encoded = new String(Base64.encodeBase64(proxyStr.getBytes()));
conn.setRequestProperty("Proxy-Authorization", "Basic " + encoded);
// get http status code which is located in header field 0
String status = conn.getHeaderField(0);
if (status.contains("200")) {
BufferedReader in = null;
try {
in = new BufferedReader(new InputStreamReader(conn.getInputStream(),
"ISO-8859-1"));
String inputLine;
while ((inputLine = in.readLine()) != null) {
sb.append(inputLine);
in.close();
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
else {
System.out.println("Error");
System.out.println(sb.toString());
public class SimpleAuthenticator
extends Authenticator
private String username,
password;
public SimpleAuthenticator(String username,String password)
this.username = username;
this.password = password;
protected PasswordAuthentication getPasswordAuthentication()
return new PasswordAuthentication(
username,password.toCharArray());
Does somebody know a solution? I need the authentication against proxy and content provider in "one application".
Thank you very much,
AndréI typically have used Apache Commons HttpClient for anything but trivial URL connections, and especially when combining both basic auth and proxy auth. When you use it, be aware of the "preemptive authentication" flag. One server I worked with didn't send the correct parameters back on particular requests, so I had to turn on this flag to get it to work.
-
Hi,
I'm using basic auth and used to send username/password with
the URL to authenticate from another webserver (with some other
kind of authentication), but - as you know - Microsoft doesn't
support that any longer and so this works for some other
webclients but not for IE (or only with a patch, that isn't installed
everywhere).
Now I have seen that for Apache there is a module called
mod_auth_cookie to fake that kind of implicit authentification.
My Question: has anybody done this for SJWS or can't that
be done?
TIA
ReinfriedHi,
Please check the below link
Re: Accessing Portal component without login screen
hope is solve your problem.
Raghu -
OAM - Basic Auth dialog continues to show despite config.xml changes
I have set enforce-valid-basic-auth-credentials to false in config.xml of the application domain I am running some apps from.
The applications are all configured for BASIC authentication.
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
The problem is that after logging on from the OAM default FORM page the Basic Authentication dialog is still being presented.
I have referenced the following SR's to try find more info:
OIM/OAM SSO Weblogic Authentication Pop up After Login [ID 1081011.1]
OAM Configuration Steps Needed to Prevent a Second Authentication Prompt by Weblogic [ID 559442.1]The issue has been resolved. There was no interesting work-a-round or fix involved.
-
Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
Hello all,
I am trying to build a very simple JavaEE application with JAAS, but I getting mad.
I have an EAR packed with a WAR module an EJB JAR module and a JAR with other classes. Struts is the MVC framework and EJB 3.0 is been used.
First of all, I configured the "login-config.xml" file within /conf directory in JBoss, like this:
<application-policy name="exemplo1">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:jdbc/Infra_Seguranca</module-option>
<module-option name="principalsQuery">SELECT COD_USUARIO AS Password FROM USUARIO WHERE COD_USUARIO=?</module-option>
<module-option name="rolesQuery">SELECT NOME_ROLE AS Roles, 'Roles' AS RoleGroups FROM ROLE_USUARIO WHERE COD_USUARIO=?</module-option>
</login-module>
</authentication>
</application-policy>Next I configured the "web.xml" file like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<description>Declarative security tests</description>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>xxx</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>exemplo1</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginErro.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Role xxx</description>
<role-name>xxx</role-name>
</security-role>Notice that I am using the "xxx" role to protect the "*.do" URL pattern.
The "jboss-web.xml" is like this:
<?xml version="1.0"?>
<jboss-web>
<security-domain>java:/jaas/exemplo1</security-domain>
</jboss-web>As it is, it works perfectly, which means, every time I try to access a "*.do" URL it verifies whether I am authenticated and have authroization or not. If not, the login page shows up.
Now I wanna to be able to also protect my EJBs.
My Stateless Session Bean is implemented as follow:
@RolesAllowed("yyy")
@Stateless(name="UserManagement")
public class UserManagementBean implements UserManagement {
public void add(User user) {
}When I run all this, the container simply igoners the @RolesAllowed("yyy") annotation and allow the EJB execution.
If I add the "jboss.xml" file, like this:
<?xml version="1.0"?>
<jboss>
<security-domain>java:/jaas/exemplo1</security-domain>
</jboss>I start getting this stack trace:
ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
... Am I missing something? What do I have to do to get JAAS working fine with my EJBs? Do I have to also configure and/or provide "ejb-jar.xml" ???
Thanks
DanielUsing @SecurityDomain("exemplo1") in my EJB and NOT providing jboss.xml, it works.
@SecurityDomain("exemplo1")
@RolesAllowed("yyy")
@Stateless(name="UserManagement")
public class UserManagementBean implements UserManagement {
public void add(User user) {
}Damn! This is some serious shit... I don�t want to configure this in every single EJB.
EJB 3.0 is nice, but some small trivial details like this and others, that was forgotten by Sun, piss me off! -
Problem with Dynamically accessing EJB Class objects in WL 7.0 SP1
I am trying to build a component which has the ability to instantiate and execute
an known EJB method on the fly.
I have managed to build the component but when I try and execute it I get a ClassNotFoundException.
I know that the EJB I am trying to invoke is deployed and available on the server,
as I can see it in the console, I also seen to have been able to get the remote
interface of the object, my problem occurs when I try and access the class object
so I can perform a create on the object and then execute my method
The code I have written is below:
private Object getRemoteObject(Context pCtx, String pJNDIName, String pHomeBean)
throws Exception {
String homeCreate = "create";
Class []homeCreateParam = { };
Object []homeCreateParamValues = {};
try {
//This call seems to work and doesn't throw an exception
Object home = pCtx.lookup(pJNDIName);
//However this call throws a java.lang.ClassNotFoundException
Class homeBean = Class.forName(pHomeBean);
Method homeCreateMethod = homeBean.getMethod(homeCreate,homeCreateParam);
return homeCreateMethod.invoke(home, homeCreateParamValues);
} catch (NamingException ne) {
logStandardErrorMessage("The client was unable to lookup the EJBHome.
Please make sure ");
logStandardErrorMessage("that you have deployed the ejb with the JNDI
name "+pJNDIName+" on the WebLogic server ");
throw ne;
} catch (Exception e) {
logStandardErrorMessage(e.toString());
throw e;
Any advice would be really appreciated, I'm fast running out of ideas, I suspect
it has something to do with the class loader but I'm not sure how to resolve it
Regards
Jo CorlessHello Joanne,
Congratulations! I'm very happy that you've managed to fix your problem. It's
always essential to understand how to package applications when deploying on BEA
WebLogic. Usually, by throwing everything into an EAR file solves just about all
the class loader problems. :-) Let us know if you have any further problems that
we can assist you with.
Best regards,
Ryan LeCompte
[email protected]
http://www.louisiana.edu/~rml7669
"Joanne Corless" <[email protected]> wrote:
>
>
I've fixed it!!!!!!!!
Thanks to everyone who gave me help!!!!
The class loader was the culprit which is what I suspected all along.
As soon
as I put the 2 jar files I was using into an EAR file the problem went
away!!!!!
Thanks again
Jo Corless
"Ryan LeCompte" <[email protected]> wrote:
Hello Joanne,
As Mr. Woollen mentioned, I also believe it's a problem with the class
loader.
You need to be careful how you arrange your EJBs, because WebLogic has
a specific
method in which it loads classes in an EAR, JAR, and WAR file(s). Please
refer
to http://dev2dev.bea.com/articles/musser.jsp for more information about
BEA WebLogic
class loading mechanisms and caveats. Also, try printing out the various
methods
that are available on the object that was returned to you via reflection.
For
example, use the getMethods() method, which returns an array of Method
objects
that you can subsequently cycle through and print out the various method
names.
This way you can discover if the class found/returned to you is indeed
the one
you intend to locate.
Hope this helps,
Ryan LeCompte
[email protected]
http://www.louisiana.edu/~rml7669
Rob Woollen <[email protected]> wrote:
I believe the issue is the home interface class for this EJB is not
available in the class loader which is doing the reflection.
If you do:
getClass().getClassLoader().loadClass(homeInterfaceClassName)
I suspect it will fail. Reflection still requires that the class be
loadable.
-- Rob
Joanne Corless wrote:
Hi Slava,
If I make my code look like you describe below I get a compliationerror telling
me that
home.getMethod() is not recognised (no such method)
If I change it slightly and use
Method homeCreateMethod =
home.getClass().getMethod(homeCreate,homeCreateParam);
The code will compile OK but when executed it still throws a NoSuchMethodException
Any ideas ?
Thanks for your help so far
Regards
Jo Corless
Your code should look like
Object home = pCtx.lookup(pJNDIName);
Method homeCreateMethod =
home.getMethod(homeCreate,homeCreateParam);
return homeCreateMethod.invoke(home, homeCreateParamValues);
Regards,
Slava Imeshev
"Joanne Corless" <[email protected]> wrote in message
news:[email protected]...
Hi Ryan,
I also wanted to mention that if you do a "header search" in this
particular
newsgroup
with the search query as "reflection", you will see many previousmessages
regarding
reflection and EJBs. I believe you could learn a lot from thedifficulties
that
others have faced and solved.I tried that and although there was a number of similar cases noneof them
actually
seem to fix my issue. Thanks for the suggestion though
Are the EJBs that you are trying to access accessible via your
system
classpath?
Try to avoid having them accessible via the main system classpath,and
only bundle
them in your appropriate EJB jar files (contained in an EAR file,for
example).Maybe I should have laid the problem out a little clearer.
I have a number of EJB's bundled up in a JAR file which is hot deployedto
the
server. Within this first JAR file is an EJB (SSB) component that
needs
to
be
able to invoke a known method on another EJB. This second EJB may
or
may
not be
within the first JAR file but it also will be hot deployed.
The component trying to invoke the method on the 2nd EJB has to
be
able to
create
an instance of the 2nd EJB without actually knowing anything bar
a
JNDI
Name which
is passed in at runtime.
I can get as far as doing the
Object home = pCtx.lookup(pJNDIName);
This returned a class with the name
"com.csc.edc.projects.allders.httppostoffice.postman.PostmanBean_mp8qy2_Home
Impl_WLStub"
My problem seems to occur when I try and invoke the create method
Method homeCreate = home.getClass().getMethod("create", new Class[0]);
My code throws a java.lang.NoSuchMethodException at this point so
I
am
unable
to progress to the next step of :
Object bean = homeCreate.invoke(home, null);
So I can return the instantiated bean back to the calling client.
Why am I getting the NoSuchMethodException, is is because I am gettinga
stub
back rather than the home interface and if so how do I get the truehome
interface
from the bean
Thanks in advance
Jo Corless -
Basic authentication with sendRedirect doesn't work
Hello from the school of hard knocks:
Following is my web.xml file. It doesn't ask for a username/password but instead gives a "Page not found 404" error. Behind the scenes the unauthorized page is being accessed via sendRedirect(). If I take out the unauthorized page URL in the web.xml and use in-page authentication (see code below), then the browser prompts 3 times and gives the access anyway!!! This is absolutely ridiculous for Tomcat 4.1.29. Can anyone help me out?
<code to force authentication in page gleaned from a thread in this form >
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "BASIC realm=\"tomcat\"");
<web.xml as prescribed by Martin Bond and Debbie Law in Tomcat - KickStart -- should have been kick in the ass >
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>CewolfServlet</servlet-name>
<servlet-class>de.laures.cewolf.CewolfRenderer</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CewolfServlet</servlet-name>
<url-pattern>/cewolf/*</url-pattern>
</servlet-mapping>
<error-page>
<error-code>401</error-code>
<location>/trnkxref/*</location>
</error-page>
<security-constraint>
<display-name> Web App Access Control - Administrators </display-name>
<web-resource-collection>
<web-resource-name> Administration </web-resource-name>
<url-pattern>/trnkxref/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name> administrator </role-name>
<role-name> patron </role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee> NONE </transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method> BASIC </auth-method>
<realm-name>tomcat </realm-name>
</login-config>
</web-app>Found this in the logs. What does it mean? tomcat-users.xml appended below. Has anyone been reading this lameass thread?
WARNING: Security role name patron used in
an <auth-constraint> without being defined in a <security-role>
tomcat-users.xml:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="patron"/>
<role rolename="administrator"/>
<role rolename="manager"/>
<user username="ldp" password="hello" roles="administrator,patron"/>
</tomcat-users>
~ -
Security & Servlet engine and ejb container on different servers
When you have the servlet container and the ejb container on different physical servers,
how is the rmi connection meant to to be done while still maintaining the seucrity
propagation from servlet to ejb tier?
Assume that my user is already authenticated (forms) on the servlet tier. Do we then
create a dedicated connection (InitialContext + url/username/password properties)
to the ejb tier and store this connection in the HttpSession? (basically authenticating
a 2nd time)
OR,
can the servlet container make a generic connection to the ejb container, and pass
the users security context to the ejb tier transparantly?
-Sam
Nick Minutello <[email protected]> wrote:
> Assuming that web container security is being employed, I guess the fundamental question
> is: Is it necessary to create a "connection" (ie. an InitialConext) per user, or
> can a "global" initial context be shared (in the end, the TCP connection is shared
> anyway)?
It doesn't create a 'connection' per user - when you use JNDI authentication (specifying
principal and credentials when constructing InitialContext) it associates security info
with the current thread for the duration of the request. If you cache InitialContext and
use it later on some other thread it will not do anything.
> Does it really matter?
No ;-)
> Thanks,
> Nick
> "Dimitri I. Rakitine" <[email protected]> wrote:
>>Nick Minutello <[email protected]> wrote:
>>
>>
>>> OK, so when I create the InitialContext, I just specify the URL (to call
>>the remote
>>> EJB container). The user ID and credentials are mapped automatically.
>>
>>> I obviously also need to cache the initialContext variable in my HTTPSession
>>object?
>>
>>> What would happen if I had one InitialContext for the whole servlet engine
>>- and
>>> each thread used that. Would the thread (security) context still get passed
>>- or
>>> would the credentials for the original connection get used?
>>
>>If you use web-app security, container will associate security info with
>>the current
>>thread before invoking your servlet. If you do not use it and cache InitialContext,
>>
>>then the current user will always be 'guest' (except for the very first
>>time when
>>application calls 'new InitialContext()' with username/password.
>>
>>
>>> Thankyou.
>>> -Sam
>>
>>
>>> "Vinod Mehra" <[email protected]> wrote:
>>>>
>>>>"Sam the bad cat" <[email protected]> wrote in message
>>>>news:[email protected]...
>>>>>
>>>>>
>>>>> When you have the servlet container and the ejb container on different
>>>>physical servers,
>>>>> how is the rmi connection meant to to be done while still maintaining
>>>>the
>>>>seucrity
>>>>> propagation from servlet to ejb tier?
>>>>>
>>>>> Assume that my user is already authenticated (forms) on the servlet
>>tier.
>>>>Do we then
>>>>> create a dedicated connection (InitialContext + url/username/password
>>>>properties)
>>>>> to the ejb tier and store this connection in the HttpSession? (basically
>>>>authenticating
>>>>> a 2nd time)
>>>>>
>>>>> OR,
>>>>> can the servlet container make a generic connection to the ejb container,
>>>>and pass
>>>>> the users security context to the ejb tier transparantly?
>>>>
>>>>If the user has logged in already, ie the authenticated user is already
>>>>in
>>>>the execute
>>>>thread, the identity should be propgated to the ejb tier transparantly,
>>>>when
>>>>you create the
>>>>new initial context.
>>>>
>>>>--Vinod.
>>>>
>>>>
>>>>>
>>>>> -Sam
>>>>>
>>>>>
>>>>
>>>>
>>
>>--
>>Dimitri
>>
Dimitri
-
Web Services with HTTP Basic Auth
Hi,
I am having a problem connecting to web services which
require HTTP Basic Authentication from a Flex application. I have
useProxy set to true and call setRemoteCredentials prior to
attempting the call, but the credentials do not appear to be set on
the request (the request fails with fault.faultString = "HTTP
request error", faultCode = "Server.Error.Request". The messages on
the server indicate that the user name and password were not
specified.
I do have the proxy-config.xml file set up properly (I think
-- I followed the example in the mx.rpc.soap.mxml.WebService class
description, at least).
I can verify that the WSDL (which doesn't require BASIC auth
to access) is being loaded properly, but when I make the request,
it fails. Is this a known problem?
I am using Flex Builder 2.0.1 to build my SWF files.
Thanks,
BrendanThanks for the pointer, I did try it, but it didn't help.
As I said in the original post, the problem is with HTTP
Basic Authentication, so adding a header for WSSE to the service
request didn't help. It needs to be an HTTP Authorization header,
not a SOAP Security header.
Brnedan -
I've got a J2EE application running under WL6.1 and that uses BASIC Auth. Durring
development I need to test with various users. How do I log a user out so I can
run the app under a different user?
Thanks,
MattThe following should work :
a) use HttpSession.invalidate() to invalidate
the current user session , and
b) use HttpServletResponse.sendRedirect() to
redirect to the main page.
Let me know if it does not work.
jason
"Matt Connors" <[email protected]> wrote:
>
I've got a J2EE application running under WL6.1 and that uses BASIC Auth.
Durring
development I need to test with various users. How do I log a user out
so I can
run the app under a different user?
Thanks,
Matt
Maybe you are looking for
-
How can I get Firefox to fill my screen? There are gaps in the top and bottom of my screen, thanks.
I dropped my laptop recently and messed up the hard drive so after installing new hard drive I reloaded win 7 and Mozilla Firefox. When Firefox loads up there is a 1" plus gap on the top and a half inch gap at the bottom of all pages. How can I get t
-
Problems with Vista Contacts (partner problems :P)
I don't think I had any problems with the previous version of Nokia PC Suite to transfer my Vista Contacts. But that version did not support pictures (which I really wanted to have). So I upgraded to 6.83.14.1 which supports pictures. Though first of
-
Hi All, Can you please help me to provide some document related to creating the Query View. Also how can we apply security to Query view. Thanks vishal
-
How to hide the Cancel UIBarButtonItem on ABPeoplePickerNavigationControlle
I want to use the ABPeoplePickerNavigationController as tab in my tabbar, not as a modal view but for some reason the controller has hard coded a cancel button on the right of its top bar. Any way to hide it? I have tried subclassing ABPeoplePickerNa
-
Why oracle xmlparserv2 dosen't support <xsl:import href="b.xsl"/>? What's the error message mean? "oracle.xml.parser.v2.XMLParseException: Error while processing include XSL file (b.xsl). at oracle.xml.parser.v2.XMLError.flushErrors1(XMLError.java:20