Basic Auth on operations

Hi,
Rather than having basic auth on service level. can we configure basic auth one level down on operation/method level? Is there a way to figure out operation url pattern? will something like this work ....
<web-resource-name>Administrator's Page</web-resource-name>
_<url-pattern>/MyWebservice/*Myoperation*</url-pattern>_
<http-method>GET</http-method>
<http-method>POST</http-method>
Thanks You,
Amit Joshi

There is no specific url for each operation. operation info is extracted from soap payload. Basic auth service is provided by web container in WLS webservices, web container will not interpret soap payload. If you want to force auth on operation/method level, I think you should take a look at UsernameToken policy.
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
-LJ

Similar Messages

HTTP Basic Auth and Username Authentication with Symmetric Key

Hi,
I have a webservice happily running on tomcat 5.5 using "Username Authentication with Symmetric Key" I have certificates setup and everything works fine. I can even connect a .net client and use the service.
Now I have an additional requirement of authorization per operation basis so I'm planning on using the roles. My current setup uses tomcat-users.xml to configure users but I seem unable to identify the role of the user from within my code as wsContext.isUserInRole("briefing") always returns false even when it clearly isn't. Where wsContext = @Resource private WebServiceContext wsContext.
So I figure perhaps I need to add HTTP Basic Auth to tomcat for it to gather this information so I added security-constraints to the web.xml and this seems to do the trick: at least it does for my .net client.
If I do:
Service service = new Service();
Port client = service.getPort();
BindingProvider bp = (BindingProvider)client;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "myusername");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "mypassword");Then it all works fine. However, I'd like a little less transparency: I don't want to have to do this every time I make a call.
My question(s) is:
1) Am I going about this the right way (perhaps I am somehow getting the incorrect reference to the WebServiceContext)
2) If I am going about this the right way I imagine the whole BindingProvider code needs to be added to as a policy configuration but I'm really not sure where to start especially as I'm using wsimport to generate everything: I'm not even sure where to configure this so it will not get overwritter.
Thanks for any help.

Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
All in all does this setup sound right?

BPEL not passing HTTP basic auth info

The BPEL control does not seem to pass the HTTP basic auth data correctly.
I placed the right credentials in the httpUsername and httpPassword properties for the partner link.
I patched SOA Suite to 10.1.3.3.1 to try to solve this problem. But it still comes up with the same result.
Any help would be greatly appreciated!

Steps for invoking secure web services from BPEL================================================
Add following lines in target wsdl(webservice)
Add xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" in the namespaces section (ensure that "ns4" is not already being used!)
Add xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" in the "schema" element
Import the namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and provide a schemaLocation (physical file in the current directory)
Add the following in the "message" element for the input message type:
<s1:part name="secHeader" element="ns4:Security"/>
Add <s3:header message="__relevant_message_name__" part="secHeader" use="literal"/> within <input> element (<binding>..<operation>)
then in BPEL before invoke activity take one assign activity
in assain activity xml expression to securerity variable in target variable
<oas:Security xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<oas:UsernameToken wsu:Id="UsernameToken-15799662" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<oas:Username>username</oas:Username>
<oas:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</oas:Password>
</oas:UsernameToken>
</oas:Security>
import xsds into local workspace
oasis-200401-wss-wssecurity-secext-1.0.xsd
oasis-200401-wss-wssecurity-utility-1.0.xsd
xml.xsd
xmldsig-core-schema.xsd

BPEL to invoke a webservice secured by BASIC auth

Hi
I have been trying to write a simple BPEL process to invoke a remote webservice secured by basic authentication. I was able to build the BPEL process and then the composite application that I deployed successfully to glassfish, all within NetBeans IDE. As per the wiki notes: http://wiki.open-esb.java.net/Wiki.jsp?page=HTTPBasicAuthentication, I also added the Policy element to the wsdl for the service that I am trying to invoke as follows:
<wsdl:service name="PMSDatabase">
        <wsdl:port name="PMSDatabaseSOAP11port_http" binding="ns2:PMSDatabaseSOAP11Binding">
            <soap:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
        </wsdl:port>
        <wsdl:port name="PMSDatabaseSOAP12port_http" binding="ns2:PMSDatabaseSOAP12Binding">
            <soap12:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
        </wsdl:port>
        <wsdl:port name="PMSDatabaseHttpport" binding="ns2:PMSDatabaseHttpBinding">
            <http:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
            <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
        </wsdl:port>
    </wsdl:service>
    <wsp:Policy wsu:Id="HttpBasicAuthBindingBindingRealmPolicy">
        <mysp:MustSupportBasicAuthentication on="true">
            <mysp:BasicAuthenticationDetail>
               <mysp:WssTokenCompare/>
            </mysp:BasicAuthenticationDetail>
        </mysp:MustSupportBasicAuthentication>
        <mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
           <wsp:Policy>
                <sp:WssUsernameToken10>mcs_user</sp:WssUsernameToken10>
                <sp:WssPassword>${pass_token}</sp:WssPassword>
           </wsp:Policy>
      </mysp:UsernameToken>
    </wsp:Policy>When i try to run a testcase, the BPEL process fails during the invoke activity and I get the following error in the output:
<detailText>BPCOR-6135:A fault was not handled in the process scope; Fault Name is {http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling}systemFault; Fault Data is <?xml version="1.0" encoding="UTF-8"?><jbi:message xmlns:sxeh="http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling" type="sxeh:faultMessage" version="1.0" xmlns:jbi="http://java.sun.com/xml/ns/jbi/wsdl-11-wrapper"><jbi:part>HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
    URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
    QUERY:
    PATH_INFO:
    Exception detail: request requires HTTP authentication: User mcs_user not found in directory.</jbi:part></jbi:message>. Sending errors for the pending requests in the process scope before terminating the process instance
   Caused by: BPCOR-6131:An Error status was received while doing an invoke (partnerLink=PartnerLink1, portType={http://service.messagecentre.dha.gov.au}PMSDatabasePortType, operation=deletePMSVoidPeriod)
BPCOR-6129:Line Number is 48
BPCOR-6130:Activity Name is Invoke1
   Caused by: HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
    URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
    QUERY:
    PATH_INFO:
    Exception detail: request requires HTTP authentication: User mcs_user not found in directory.
   Caused by: request requires HTTP authentication: User mcs_user not found in directory.</detailText>Where else do i need to configure the BASIC auth details to get this to work?

Please post your request to [email protected] for quick response.
Error states "mcs_user" is invalid user. Please make sure that the user is valid.

Forms based authentication + Basic authentication = no way to use the basic auth!!!!

Hi,
I setup a test sharepoint site, claims mode, with both the forms and basic authentication enabled.
I expect to see the page asking me which authentication method I want to use, but I never see this page!!!
I have to select the windows authentication (NTLM or Kerberos) to see this page!
why using only the Basic authentication did not prompt the user?
and how to be authenticated using the basic authentication rather than the forms auth when both are enable for the same site?
>I do NOT want to extend my site to have 2 zones... my question is ONLY with 1 zone configured.

What is the business purpose for using Basic Auth over NTLM/Kerberos?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Learning the basics of EXISTS operator

I am learning the basics of EXISTS operator.
create table loans
(acc_id number,
balance number(10,2));
insert into loans
(acc_id, balance)
values
(100, 20000);
insert into loans
(acc_id, balance)
values
(110, 22000);
insert into loans
(acc_id, balance)
values
(120, 7000);
insert into loans
(acc_id, balance)
values
(130, 172.99);
SQL> select * from loans;
    ACC_ID    BALANCE
       100      20000
       110      22000
       120       7000
       130     172.99
create table defaulters
(cust_id number,
   name    varchar2(20),
   acc_id number);
insert into defaulters
(cust_id, name, acc_id)
values
(1,'Vajaal',110);
insert into defaulters
(cust_id, name, acc_id)
values
(2,'Mostert',130);
SQL> select * from defaulters;
   CUST_ID NAME                     ACC_ID
         1 Vajaal                      110
         2 Mostert                     130
SQL> select acc_id from loans
2 where exists(select 1 from defaulters
3 where loans.acc_id=defaulters.acc_id);
    ACC_ID
       110
       130It just returns all acc_id rows in Loans table which has corresponding ACC_IDs present in defaulters.
On 10gR2 SQL Reference, for EXISTS operator, it says ' An EXISTS condition tests for existence of rows in a subquery' .
Would it be wrong if i say, EXISTS operator can be used when you want to return all rows in the Outerquery which has matching records in the Innerquery.

Would it be wrong if i say, EXISTS operator
can be used when you want to return all rows in the
Outerquery which has matching records in the
Innerquery.Depends on what you understand with "matching".
See following examples:
In this case matching means "<>" i.e. return all loans who have at least one row that differs in defaulters table (of course it returns all loans, because defaulters has 2 rows with different acc_id, BTW look also for NULLs and comparisons involving NULLs)
SQL> ed
Wrote file afiedt.buf
1 select acc_id from loans
2 where exists(
3    select 1 from defaulters
4*   where loans.acc_id<>defaulters.acc_id)
SQL> /
    ACC_ID
       100
       110
       120
       130See also following query:
SQL> ed
Wrote file afiedt.buf
1 select acc_id from loans
2 where exists(
3    select 1 from defaulters
4* )
SQL> /
    ACC_ID
       100
       110
       120
       130There isn't any condition at all, so any row in defaulters is "matching" row in this case.
So I'd stick with explanation in documentation this time ;)
Gints Plivna
http://www.gplivna.eu

Web Services with HTTP Basic Auth

Hi,
I am having a problem connecting to web services which
require HTTP Basic Authentication from a Flex application. I have
useProxy set to true and call setRemoteCredentials prior to
attempting the call, but the credentials do not appear to be set on
the request (the request fails with fault.faultString = "HTTP
request error", faultCode = "Server.Error.Request". The messages on
the server indicate that the user name and password were not
specified.
I do have the proxy-config.xml file set up properly (I think
-- I followed the example in the mx.rpc.soap.mxml.WebService class
description, at least).
I can verify that the WSDL (which doesn't require BASIC auth
to access) is being loaded properly, but when I make the request,
it fails. Is this a known problem?
I am using Flex Builder 2.0.1 to build my SWF files.
Thanks,
Brendan

Thanks for the pointer, I did try it, but it didn't help.
As I said in the original post, the problem is with HTTP
Basic Authentication, so adding a header for WSSE to the service
request didn't help. It needs to be an HTTP Authorization header,
not a SOAP Security header.
Brnedan

Dynamic proxy invokes basic auth web service

My dynamic proxy client works fine with any web service except the basic auth secured one.
I know how to use stub client to work around this issue. But I haven't found a way to get around when dynamic proxy clients are used.
Any idea is appricated. Thanks

Paula-
Given that you can work around this issue with the stub client,
you should be able to work around the issue in the dynamic proxy client
in the same way-
I am interested that you say workaround the issue with the stub client.
Is there a problem that you have noted?
If you can let me know how you worked this issue with the stub,
and what problems you have specifically had with the dynamic proxy client
I will look at the issue to see if it a bug.
Please let me know what environment you are working in, the version of jaxrpc 1.x,
what container, jdk or jre and a sample client program that would help me understand
the problem.
Thanks,
Kathy

Basic Auth with WebView

Hello everyone,
we have integrated some JavaFX components within a swing application recently. One of the components that we have decided to add is a WebView component that should access an html page with the account settings of the logged in user.
However, this page has restricted access with HTTP Basic Auth type of authorization and for this reason the WebView gets the 401 HTTP error.
Is it possible to perform the HTTP Basic Auth programmatically (by setting username and password) with the WebView?
Thanks in advance for your help,
LM

I have solved by using java.net.Authenticator

BASIC Auth

I've got a J2EE application running under WL6.1 and that uses BASIC Auth. Durring
development I need to test with various users. How do I log a user out so I can
run the app under a different user?
Thanks,
Matt

The following should work :
a) use HttpSession.invalidate() to invalidate
the current user session , and
b) use HttpServletResponse.sendRedirect() to
redirect to the main page.
Let me know if it does not work.
jason
"Matt Connors" <[email protected]> wrote:
>
I've got a J2EE application running under WL6.1 and that uses BASIC Auth.
Durring
development I need to test with various users. How do I log a user out
so I can
run the app under a different user?
Thanks,
Matt

Basic auth interop problem, servlet WS works, EJB WS not (Sun AS 8)

After spending some time I managed to add HTTP basic auth to a simple web service. I have implemented two variants, an JAX-RPC servlet web service and an EJB web service.
A (Sun) JAX-RPC client works pretty well against both web services. I do the required steps with the stub (set user/pwd) and things work. I do get the correct principal in the server side, fine.
When I do NOT set the authentication properties at the stub, the servlet based WS responds something like HTTP error 403 (?) or so, which leads to "authentication required". The EJB based response is not that adequate, it's something like "internal server error, EJBLocalAccessException or so" but from the given message you could get the idea what's wrong.
Anyway, I got the impression that this stuff
return HTTP error to flag "auth required"
is not happening for some reason in my EJB based web service. I found this problem in Sun AS 8 and I think it's the same problem when I test stuff with Oracle's OC4J ...
Some client implementations have obviously problems to get the idea that user authentication is required. In other words, the clients cannot invoke the EJB WS. I tried it with Perl Soap::Lite, MS SOAP Toolkit 3.0 and MS .Net 1.1 stuff. All this clients work well (with authentication) when I consume the servlet based web service. But the EJB based web service is not working at all. I do get there just "not allowed" and the SOAP client runtime is not handing over any user credentials (because it's obviously not correctly asked for it by an appropriate AS response).
Anyone else experienced this problems with EJB WS???
Interesting question: why is the JAX-RPC client working? Is it sending the properties set at the stub in any case? Or do they "handle" the internal error coming from Sun AS explicitly or so? Strange, in a way. :-)
Thanx for any help here!
Merten

I guess the reason was that I wrote
<login-config>
<auth-method>Basic</auth-method>
</login-config>
instead of required
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
At deploy time, I got no error message. At usage time, I just got this AccessLocalException. That's not really nice ...
Merten

Basic auth in proxy server breaks managed server form auth

Hi,
I have a proxy server configured in front of 2 managed servers.
The managed servers have secure pages and are using form auth and the
proxy server is working properly. In other words, I point my browser
at the proxy and I end up being services by one of the managed servers.
If I attempt to access a secure page via the proxy I am sent to the form
login page via the proxy.
Now for the problem:
If I configure the proxy server to use basic auth, and secure all
pages in the proxy, I must provide my userid/password to the proxy
server (this is working fine) before I can get to one of the managed
servers. I can get to the welcome page of the managed server (which is
not secure) There is a link to a secure page on the welcome page. When
I click on the link to the secure page, I am sent to the form auth by
the managed server. I authenticate, but I can never see the secure
page. I end up being redirected to the form login page endlessly.
Both the proxy server and the managed server are usign the default
JSESSIONID.
Here is a section of the web.xml for the proxy server:
<servlet>
<servlet-name>HttpClusterServlet</servlet-name>
<servlet-class>weblogic.servlet.proxy.HttpClusterServlet</servlet-class>
<init-param>
<param-name>WebLogicCluster</param-name>
<param-value>${ProxyConfig}</param-value>
</init-param>
<init-param>
<param-name>SecureProxy</param-name>
<param-value>ON</param-value>
</init-param>
<init-param>
<param-name>Debug</param-name>
<param-value>ON</param-value>
</init-param>
<init-param>
<param-name>DebugConfigInfo</param-name>
<param-value>ON</param-value>
</init-param>
<init-param>
<param-name>CookieName</param-name>
<param-value>JSESSIONID</param-value>
</init-param>
<init-param>
<param-name>CookieName</param-name>
<param-value>wlauthcookie_</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>gcmgui/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>applauncher/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>ssoadmin/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>default/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>domainadmin/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>gsc/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>psr/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>broadcastclient/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>nra/*</url-pattern>
</servlet-mapping>
Here is the proxy debug:
<Fri Jul 11 14:40:07 EDT 2003>: ===New Request===GET
/applauncher/jsp/AppLaunche
r.jsp HTTP/1.1
<Fri Jul 11 14:40:07 EDT 2003>: Found cookie: Sf4VoFtpQwG]dTNEh9Yq
<Fri Jul 11 14:40:07 EDT 2003>: #### Trying to connect with server
-213061352!10
.68.10.87!1080!10443
<Fri Jul 11 14:40:07 EDT 2003>: Remove idle for '30' secs:
ProxyConnection(isSec
ureProxy=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:07 EDT 2003>: Create connection:
ProxyConnection(isSecureProxy
=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:07 EDT 2003>: In-bound headers:
<Fri Jul 11 14:40:07 EDT 2003>: Accept: image/gif, image/x-xbitmap,
image/jpeg,
image/pjpeg, application/vnd.ms-excel, application/msword,
application/vnd.ms-po
werpoint, */*
<Fri Jul 11 14:40:07 EDT 2003>: Accept-Language: en-us
<Fri Jul 11 14:40:07 EDT 2003>: Accept-Encoding: gzip, deflate
<Fri Jul 11 14:40:07 EDT 2003>: User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; W
indows NT 4.0; H010818)
<Fri Jul 11 14:40:07 EDT 2003>: Host: localhost:18002
<Fri Jul 11 14:40:07 EDT 2003>: Connection: Keep-Alive
<Fri Jul 11 14:40:07 EDT 2003>: Cookie:
JSESSIONID=1PEosMJQ9ZJrewjj1t5nZfNtYe1e5
pWYbjyBGvZ1ExEY8YoueKTG!-213061352!NONE;
wlauthcookie_=Sf4VoFtpQwG]dTNEh9Yq
<Fri Jul 11 14:40:07 EDT 2003>: Authorization: Basic
cmFwcGVsYmE6b3V0Mmx1bmNo
<Fri Jul 11 14:40:07 EDT 2003>: HTTP/1.1 302 Moved Temporarily
<Fri Jul 11 14:40:07 EDT 2003>: Out-bound headers:
<Fri Jul 11 14:40:07 EDT 2003>: Date: Fri, 11 Jul 2003 18:40:07 GMT
<Fri Jul 11 14:40:07 EDT 2003>: Location:
https://localhost:18002/applauncher/un
restricted/jsp/FormLogin.jsp
<Fri Jul 11 14:40:07 EDT 2003>: Server: WebLogic WebLogic Server 8.1
Thu Mar 20
23:06:05 PST 2003 246620
<Fri Jul 11 14:40:07 EDT 2003>: Transfer-Encoding: Chunked
<Fri Jul 11 14:40:07 EDT 2003>: ===New Request===GET
/applauncher/unrestricted/j
sp/FormLogin.jsp HTTP/1.1
<Fri Jul 11 14:40:07 EDT 2003>: Found cookie: UZ]OrXsBP6uEEa[0veSz
<Fri Jul 11 14:40:07 EDT 2003>: Request successfully processed
<Fri Jul 11 14:40:07 EDT 2003>: #### Trying to connect with server
-213061352!10
.68.10.87!1080!10443
<Fri Jul 11 14:40:07 EDT 2003>: Requeue connection:
ProxyConnection(isSecureProx
y=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:07 EDT 2003>: Recycle connection:
ProxyConnection(isSecureProx
y=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:07 EDT 2003>: Request successfully processed
<Fri Jul 11 14:40:07 EDT 2003>: In-bound headers:
<Fri Jul 11 14:40:07 EDT 2003>: Accept: image/gif, image/x-xbitmap,
image/jpeg,
image/pjpeg, application/vnd.ms-excel, application/msword,
application/vnd.ms-po
werpoint, */*
<Fri Jul 11 14:40:07 EDT 2003>: Accept-Language: en-us
<Fri Jul 11 14:40:07 EDT 2003>: Accept-Encoding: gzip, deflate
<Fri Jul 11 14:40:07 EDT 2003>: User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; W
indows NT 4.0; H010818)
<Fri Jul 11 14:40:08 EDT 2003>: Host: localhost:18002
<Fri Jul 11 14:40:08 EDT 2003>: Connection: Keep-Alive
<Fri Jul 11 14:40:08 EDT 2003>: Authorization: Basic
cmFwcGVsYmE6b3V0Mmx1bmNo
<Fri Jul 11 14:40:08 EDT 2003>: Cookie:
JSESSIONID=1PEHvo1gQIbwOMuVsU9pJnnvlGBSP
74ZUcSHwazE7domCL8UlVA2!-937872307; wlauthcookie_=UZ]OrXsBP6uEEa[0veSz
<Fri Jul 11 14:40:08 EDT 2003>: HTTP/1.1 200 OK
<Fri Jul 11 14:40:08 EDT 2003>: Out-bound headers:
<Fri Jul 11 14:40:08 EDT 2003>: Date: Fri, 11 Jul 2003 18:40:08 GMT
<Fri Jul 11 14:40:08 EDT 2003>: Server: WebLogic WebLogic Server 8.1
Thu Mar 20
23:06:05 PST 2003 246620
<Fri Jul 11 14:40:08 EDT 2003>: Content-Length: 4238
<Fri Jul 11 14:40:08 EDT 2003>: Set-Cookie:
JSESSIONID=1PEIxJ21oT5H3Z2ilQjPqpq1V
kdOhEnNbbz9wviTtTTZj6IBp29b!-213061352!NONE; path=/
<Fri Jul 11 14:40:08 EDT 2003>: Request successfully processed
<Fri Jul 11 14:40:08 EDT 2003>: Requeue connection:
ProxyConnection(isSecureProx
y=true): 10.68.10.87:10443, keep-alive='30'secs
<Fri Jul 11 14:40:08 EDT 2003>: Request successfully processed
<Fri Jul 11 14:40:44 EDT 2003>: Trigger remove idle for '35' secs:
ProxyConnecti
on(isSecureProxy=true): 10.68.10.87:10443, keep-alive='30'secs
Thanks,
Rob

I typically have used Apache Commons HttpClient for anything but trivial URL connections, and especially when combining both basic auth and proxy auth. When you use it, be aware of the "preemptive authentication" flag. One server I worked with didn't send the correct parameters back on particular requests, so I had to turn on this flag to get it to work.

Basic auth with RESTful WEb service and Web Service reference

Hi, All,
We have made much progress on getting an application working wtih RESTful web services but now are trying to figure out how to lock down a RESTful Web service while making it available for a particular application.
We are using one of the sample 'emp' table web services that come with Apex 4.2 and are trying to apply Basic Auth to the WEb Service via Weblogic filter defined in the web.xml file. That works fine. I now get challenged when I try to go to :
https://wlogic.edu/apex/bnr/ace/hr/empinfo/
And when I authenticate to that challenge I am able to get the data. (we are usiing LDAP authentication at the Weblogic level)
However, I am not sure how to get same basic authentication to work with the Web Service reference in my application. I see the error message in the application when I try to call that Web Service:
401--Unauthorized<
And I see:
"The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials"
How do I provide the credentials in the Web REference or do I provide credentials in the Application?
Web service works fine if I remove the RESTful web service basic auth from the Web.xml file.
Should we NOT use Weblogic basic auth and instead use basic auth from Workspace RESTful web service definition. If so, how do we implement THAT basic auth in the Web Service definition and in the Web SErvice Reference on the application?
Thanks,
Pat

What I mean is diid you try to use the PL/SQL package for APEX webservice. Here is an example I use (modified and shortened, just to show how much better this is than to use it from the application).
CREATE OR REPLACE PACKAGE webservice_pkg
IS
   PROCEDURE create_webservice (
      p_id            IN       NUMBER,
      p_message       OUT      VARCHAR2,
      p_workspace     IN       VARCHAR2 DEFAULT 'MY_WORKSPACE',
      p_app_id        IN       NUMBER DEFAULT v ('APP_ID'),
      p_app_session   IN       VARCHAR2 DEFAULT v ('SESSION'),
      p_app_user      IN       VARCHAR2 DEFAULT v ('APP_USER')
END webservice_pkg;
CREATE OR REPLACE PACKAGE BODY webservice_pkg
IS
   PROCEDURE set_credentials (
      p_workspace     IN   VARCHAR2,
      p_app_id        IN   NUMBER,
      p_app_session   IN   VARCHAR2,
      p_app_user      IN   VARCHAR2
   IS
      v_workspace_id   NUMBER;
   BEGIN
      SELECT workspace_id
        INTO v_workspace_id
        FROM apex_workspaces
       WHERE workspace = p_workspace;
      apex_util.set_security_group_id (v_workspace_id);
      apex_application.g_flow_id := p_app_id;
      apex_application.g_instance := p_app_session;
      apex_application.g_user := p_app_user;
   END set_credentials;
   PROCEDURE create_webservice (
      p_id            IN       NUMBER,
      p_message       OUT      VARCHAR2,
      p_workspace     IN       VARCHAR2 DEFAULT 'MY_WORKSPACE',
      p_app_id        IN       NUMBER DEFAULT v ('APP_ID'),
      p_app_session   IN       VARCHAR2 DEFAULT v ('SESSION'),
      p_app_user      IN       VARCHAR2 DEFAULT v ('APP_USER')
   IS
      v_envelope          VARCHAR2 (32000);
      v_server            VARCHAR2 (400);
      v_url               VARCHAR2 (4000);
      v_result_url        VARCHAR2 (1000);
      v_collection_name   VARCHAR2 (40)    := 'PDF_CARD';
      v_message           VARCHAR2 (4000);
      v_xmltype001        XMLTYPE;
   BEGIN
      v_url := v_server || '.myserver.net/services/VisitCardCreator?wsdl';
      FOR c IN (SELECT *
                  FROM DUAL)
      LOOP
         v_envelope :=
               '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" '
            || 'xmlns:bran="http://www.myaddress.com">'
            || CHR (10)
            || '<soapenv:Header/><soapenv:Body>'
            || CHR (10)
            || '<parameter:'
            || 'some_value'
            || '>'
            || CHR (10)
            || '<bran:templateID>'
            || p_id
            || '</bran:templateID>'
            || '</soapenv:Body>'
            || CHR (10)
            || '</soapenv:Envelope>';
      END LOOP;
      set_credentials (p_workspace, p_app_id, p_app_session, p_app_user);
      BEGIN
         apex_web_service.make_request
                                     (p_url                  => v_url,
                                      p_collection_name      => v_collection_name,
                                      p_envelope             => v_envelope
         p_message := 'Some message.';
      EXCEPTION
         WHEN OTHERS
         THEN
            v_message :=
                  v_message
               || '</br>'
               || 'Error running Webservice Request. '
               || SQLERRM;
      END;
      BEGIN
         SELECT    v_result_url
                || EXTRACTVALUE (VALUE (t),
                                 '/*/' || 'Return',
                                 'xmlns="http://www.myaddress.com"'
                xmltype001
           INTO v_result_url,
                v_xmltype001
           FROM wwv_flow_collections c,
                TABLE
                    (XMLSEQUENCE (EXTRACT (c.xmltype001,
                                           '//' || 'Response',
                                           'xmlns="http://www.myaddress.com"'
                    ) t
          WHERE c.collection_name = v_collection_name;
      EXCEPTION
         WHEN OTHERS
         THEN
            v_message := v_message || '</br>' || 'Error reading Collection.';
      END;
   EXCEPTION
      WHEN OTHERS
      THEN
         p_message := v_message || '</br>' || SQLERRM;
   END create_webservice;
END webservice_pkg;
/If you use it this way, you will find out what the problem is much faster.
Denes Kubicek
http://deneskubicek.blogspot.com/
http://www.apress.com/9781430235125
http://apex.oracle.com/pls/apex/f?p=31517:1
http://www.amazon.de/Oracle-APEX-XE-Praxis/dp/3826655494
-------------------------------------------------------------------

HTTP Basic Auth and Proxy Auth

Hi,
i have a problem with the authentication against a proxy server and against a content provider. At first I have to authenticate against the proxy to get "free internet". The next step is to authenticate against the content provider to get a html or xml file.
The following source code runs very good in Eclipse, i.e. as JUnitTest. But If I execute the same code within a weblogic server, I will get an error (not authenticated). I believe I get this message from the content provider and not from the proxy because If I test this code within the weblogic server and with no authentication (i.e. google needs no authentication), I will get a valide xml/html file.
StringBuffer sb = new StringBuffer();
          SimpleAuthenticator simple = new SimpleAuthenticator("joeuser","a.b.C.D"); //from openbook
          Authenticator.setDefault(simple);
          String strUrl = "http://www.rahul.net/joeuser/";
          URL url = null;
          try {
               url = new URL(strUrl);
          } catch (MalformedURLException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          URLConnection conn = null;
          InetSocketAddress addr = new InetSocketAddress("proxy.domain",8080);
          Proxy proxy = new Proxy(Proxy.Type.HTTP, addr);
          try {
               conn = url.openConnection(proxy);
          } catch (IOException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          String proxyStr = "username" + ":" + "passwordl";
          String encoded = new String(Base64.encodeBase64(proxyStr.getBytes()));
          conn.setRequestProperty("Proxy-Authorization", "Basic " + encoded);
          // get http status code which is located in header field 0
          String status = conn.getHeaderField(0);
          if (status.contains("200")) {
               BufferedReader in = null;
               try {
                    in = new BufferedReader(new InputStreamReader(conn.getInputStream(),
                              "ISO-8859-1"));
                    String inputLine;
                    while ((inputLine = in.readLine()) != null) {
                         sb.append(inputLine);
                    in.close();
               } catch (UnsupportedEncodingException e) {
                    // TODO Auto-generated catch block
                    e.printStackTrace();
               } catch (IOException e) {
                    // TODO Auto-generated catch block
                    e.printStackTrace();
          else {
               System.out.println("Error");
          System.out.println(sb.toString());
public class SimpleAuthenticator
extends Authenticator
     private String username,
     password;
     public SimpleAuthenticator(String username,String password)
          this.username = username;
          this.password = password;
     protected PasswordAuthentication getPasswordAuthentication()
          return new PasswordAuthentication(
                    username,password.toCharArray());
Does somebody know a solution? I need the authentication against proxy and content provider in "one application".
Thank you very much,
André

I typically have used Apache Commons HttpClient for anything but trivial URL connections, and especially when combining both basic auth and proxy auth. When you use it, be aware of the "preemptive authentication" flag. One server I worked with didn't send the correct parameters back on particular requests, so I had to turn on this flag to get it to work.

Basic auth and MSIE

Hi,
I'm using basic auth and used to send username/password with
the URL to authenticate from another webserver (with some other
kind of authentication), but - as you know - Microsoft doesn't
support that any longer and so this works for some other
webclients but not for IE (or only with a patch, that isn't installed
everywhere).
Now I have seen that for Apache there is a module called
mod_auth_cookie to fake that kind of implicit authentification.
My Question: has anybody done this for SJWS or can't that
be done?
TIA
Reinfried

Hi,
Please check the below link
Re: Accessing Portal component without login screen
hope is solve your problem.
Raghu

Basic Auth on operations

Similar Messages

Maybe you are looking for