HTTP Basic Auth and Username Authentication with Symmetric Key

Hi,
I have a webservice happily running on tomcat 5.5 using "Username Authentication with Symmetric Key" I have certificates setup and everything works fine. I can even connect a .net client and use the service.
Now I have an additional requirement of authorization per operation basis so I'm planning on using the roles. My current setup uses tomcat-users.xml to configure users but I seem unable to identify the role of the user from within my code as wsContext.isUserInRole("briefing") always returns false even when it clearly isn't. Where wsContext = @Resource private WebServiceContext wsContext.
So I figure perhaps I need to add HTTP Basic Auth to tomcat for it to gather this information so I added security-constraints to the web.xml and this seems to do the trick: at least it does for my .net client.
If I do:
  Service service = new Service();
  Port client = service.getPort();
  BindingProvider bp = (BindingProvider)client;
  bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "myusername");
  bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "mypassword");Then it all works fine. However, I'd like a little less transparency: I don't want to have to do this every time I make a call.
My question(s) is:
1) Am I going about this the right way (perhaps I am somehow getting the incorrect reference to the WebServiceContext)
2) If I am going about this the right way I imagine the whole BindingProvider code needs to be added to as a policy configuration but I'm really not sure where to start especially as I'm using wsimport to generate everything: I'm not even sure where to configure this so it will not get overwritter.
Thanks for any help.

Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
All in all does this setup sound right?

Similar Messages

  • HTTP Basic Auth and Proxy Auth

    Hi,
    i have a problem with the authentication against a proxy server and against a content provider. At first I have to authenticate against the proxy to get "free internet". The next step is to authenticate against the content provider to get a html or xml file.
    The following source code runs very good in Eclipse, i.e. as JUnitTest. But If I execute the same code within a weblogic server, I will get an error (not authenticated). I believe I get this message from the content provider and not from the proxy because If I test this code within the weblogic server and with no authentication (i.e. google needs no authentication), I will get a valide xml/html file.
    StringBuffer sb = new StringBuffer();
              SimpleAuthenticator simple = new SimpleAuthenticator("joeuser","a.b.C.D"); //from openbook
              Authenticator.setDefault(simple);
              String strUrl = "http://www.rahul.net/joeuser/";
              URL url = null;
              try {
                   url = new URL(strUrl);
              } catch (MalformedURLException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              URLConnection conn = null;
              InetSocketAddress addr = new InetSocketAddress("proxy.domain",8080);
              Proxy proxy = new Proxy(Proxy.Type.HTTP, addr);
              try {
                   conn = url.openConnection(proxy);
              } catch (IOException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              String proxyStr = "username" + ":" + "passwordl";
              String encoded = new String(Base64.encodeBase64(proxyStr.getBytes()));
              conn.setRequestProperty("Proxy-Authorization", "Basic " + encoded);
              // get http status code which is located in header field 0
              String status = conn.getHeaderField(0);
              if (status.contains("200")) {
                   BufferedReader in = null;
                   try {
                        in = new BufferedReader(new InputStreamReader(conn.getInputStream(),
                                  "ISO-8859-1"));
                        String inputLine;
                        while ((inputLine = in.readLine()) != null) {
                             sb.append(inputLine);
                        in.close();
                   } catch (UnsupportedEncodingException e) {
                        // TODO Auto-generated catch block
                        e.printStackTrace();
                   } catch (IOException e) {
                        // TODO Auto-generated catch block
                        e.printStackTrace();
              else {
                   System.out.println("Error");
              System.out.println(sb.toString());
    public class SimpleAuthenticator
    extends Authenticator
         private String username,
         password;
         public SimpleAuthenticator(String username,String password)
              this.username = username;
              this.password = password;
         protected PasswordAuthentication getPasswordAuthentication()
              return new PasswordAuthentication(
                        username,password.toCharArray());
    Does somebody know a solution? I need the authentication against proxy and content provider in "one application".
    Thank you very much,
    André

    I typically have used Apache Commons HttpClient for anything but trivial URL connections, and especially when combining both basic auth and proxy auth. When you use it, be aware of the "preemptive authentication" flag. One server I worked with didn't send the correct parameters back on particular requests, so I had to turn on this flag to get it to work.

  • Get authenticated user name (HTTP basic auth)

    Hi.
    How can I get the authenticated user name from a BPEL process when the service is protected with HTTP basic auth?
    I'm running SOA Suite 11.1.1.5.
    Thanks in advance.
    Mick

    Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
    All in all does this setup sound right?

  • RemoteObject and http basic auth

    Hello,
    I am writing an AIR application and I have a RemoteObject
    that has an endpoint secured using http basic auth. Whenever I try
    to send the RemoteObject request, a username/password window is
    displayed to the user. How do I automatically send the
    username/password? Using setCredentials or setRemoteCredentials
    doesn't seem to affect this - looking at the data sent, the
    RemoteObject is not sending a http Authorisation header.
    Is this possible?

    Hello,
    Sorry for "waking up" this old message, but I have exactly the same probem and I can't find a solution.
    I know how to send Authorization in the HTTP headers with a HTTPService, but not with a RemoteObject.
    Do you know that, or have any other solution for the problem ?
    Etienne

  • Basic auth and MSIE

    Hi,
    I'm using basic auth and used to send username/password with
    the URL to authenticate from another webserver (with some other
    kind of authentication), but - as you know - Microsoft doesn't
    support that any longer and so this works for some other
    webclients but not for IE (or only with a patch, that isn't installed
    everywhere).
    Now I have seen that for Apache there is a module called
    mod_auth_cookie to fake that kind of implicit authentification.
    My Question: has anybody done this for SJWS or can't that
    be done?
    TIA
    Reinfried

    Hi,
    Please check the below link
    Re: Accessing Portal component without login screen
    hope is solve your problem.
    Raghu

  • BPEL not passing HTTP basic auth info

    The BPEL control does not seem to pass the HTTP basic auth data correctly.
    I placed the right credentials in the httpUsername and httpPassword properties for the partner link.
    I patched SOA Suite to 10.1.3.3.1 to try to solve this problem. But it still comes up with the same result.
    Any help would be greatly appreciated!

    Steps for invoking secure web services from BPEL================================================
    Add following lines in target wsdl(webservice)
    Add xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" in the namespaces section (ensure that "ns4" is not already being used!)
    Add xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" in the "schema" element
    Import the namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and provide a schemaLocation (physical file in the current directory)
    Add the following in the "message" element for the input message type:
         <s1:part name="secHeader" element="ns4:Security"/>
    Add <s3:header message="__relevant_message_name__" part="secHeader" use="literal"/> within <input> element (<binding>..<operation>)
    then in BPEL before invoke activity take one assign activity
    in assain activity xml expression to securerity variable in target variable
    <oas:Security xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <oas:UsernameToken wsu:Id="UsernameToken-15799662" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <oas:Username>username</oas:Username>
    <oas:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</oas:Password>
    </oas:UsernameToken>
    </oas:Security>
    import xsds into local workspace
    oasis-200401-wss-wssecurity-secext-1.0.xsd
    oasis-200401-wss-wssecurity-utility-1.0.xsd
    xml.xsd
    xmldsig-core-schema.xsd

  • Storing encrypted username and password along with the Key into Windows Keystore

    I have a WPf application and I need to allow the user to enter the username and password. Username and Password should be encrypted and store them with the key into the windows Keystore. I used the Cryptography class to encrypt the username and password but
    I am not sure how to store them in the Windows Key Store.
    This login is used for configuration purpose only. User enters  and  it is saved into the clients machine. As long these credentials are correct, we are going to allow this machine to call another API to download files.
    I would really appreciate for any sample code. Basically, I need to store them in the registry and be able to call them to verify.

    Data encryption and key management is certainly not a WPF topic so you are in the wrong forum but you could take a look at the ProtectedData class:
    https://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx.
    It provides methods for encrypting and decrypting data on user or machine level. Please refer to the following link for more information:
    http://stackoverflow.com/questions/4967325/best-way-to-store-encryption-keys-in-net-c-sharp
    Here is another link on the subject that may be helpful:
    http://stackoverflow.com/questions/7459069/where-to-store-sensitive-information-needed-for-an-application-to-run
    Please remember to mark helpful posts as answer to close your threads.

  • Using HTTP basic auth in WebService

    Hi,
    I am writing a flex app that needs to talk to a pre-existing
    SOAP web service. Unfortunately the web service uses http basic
    auth to authenticate a user. I am trying to figure out exactly how
    this is accomplished but I cannot find any substantive data on the
    subject. So I was hoping someone here could point me in the right
    direction or possibly answer the question outright.
    I DID find reference to using the useProxy attribute on the
    WebService element (and that I would need to make some changes to a
    flex-config.xml) but I could not get this to work, nor could I find
    any explanation as to what exactly I was doing. I, as a workaround,
    attempted to place the auth info in the url (e.g.
    http://user:[email protected]:port/wsdl)
    but this did not work either as the request never made it to the
    server, I am assuming actionscript doesn't like this format?
    Anyway, does anyone have any advice/pointers? Any help would
    be appreciated.

    Hi,
    I am writing a flex app that needs to talk to a pre-existing
    SOAP web service. Unfortunately the web service uses http basic
    auth to authenticate a user. I am trying to figure out exactly how
    this is accomplished but I cannot find any substantive data on the
    subject. So I was hoping someone here could point me in the right
    direction or possibly answer the question outright.
    I DID find reference to using the useProxy attribute on the
    WebService element (and that I would need to make some changes to a
    flex-config.xml) but I could not get this to work, nor could I find
    any explanation as to what exactly I was doing. I, as a workaround,
    attempted to place the auth info in the url (e.g.
    http://user:[email protected]:port/wsdl)
    but this did not work either as the request never made it to the
    server, I am assuming actionscript doesn't like this format?
    Anyway, does anyone have any advice/pointers? Any help would
    be appreciated.

  • JDev3: http basic auth

    Can the web-to-go(?) httpd in JDev3 be configured to support http basic auth? How do I configure it to setup my realms? thnx.

    Please note that I am able to do some basic programmatic configuration of the JDev3 httpd , such as doing:
    oracle.jdeveloper.debugger.ServletDebugger dbg = new oracle.jdeveloper.debugger.ServletDebugger();
    dbg.setRootDir("D:/JDev3/");
    But I have been unsuccessful in other tasks
    such as:
    dbg.setDocumentRootDir("D:/myDir");
    dbg.setServerPort("9090");
    Compiler tells me these two methods are not supported by class oracle.jdeveloper.debugger.ServletDebugger
    Info on how to configure the JDev3 httpd for - the doc root
    -listen port,
    - and realms for http basic auth
    would be greatly appreciated. If correct documentation exists please point me to them (the JDev3 Help documentation contains erroneous information on some of these topics). thnx

  • Web Services with HTTP Basic Auth

    Hi,
    I am having a problem connecting to web services which
    require HTTP Basic Authentication from a Flex application. I have
    useProxy set to true and call setRemoteCredentials prior to
    attempting the call, but the credentials do not appear to be set on
    the request (the request fails with fault.faultString = "HTTP
    request error", faultCode = "Server.Error.Request". The messages on
    the server indicate that the user name and password were not
    specified.
    I do have the proxy-config.xml file set up properly (I think
    -- I followed the example in the mx.rpc.soap.mxml.WebService class
    description, at least).
    I can verify that the WSDL (which doesn't require BASIC auth
    to access) is being loaded properly, but when I make the request,
    it fails. Is this a known problem?
    I am using Flex Builder 2.0.1 to build my SWF files.
    Thanks,
    Brendan

    Thanks for the pointer, I did try it, but it didn't help.
    As I said in the original post, the problem is with HTTP
    Basic Authentication, so adding a header for WSSE to the service
    request didn't help. It needs to be an HTTP Authorization header,
    not a SOAP Security header.
    Brnedan

  • BASIC Auth and WSDL in WebLogic 7

    I want to protect my web service URI with HTTP basic authentication. I've modified
    the web.xml and protected my web service URI and all works fine. However, this
    also protects the dynamically generated WSDL URL.
    Is there a way to pass the user/password to the JAX-RPC client for the WSDL URL?
    If not, what is the best way to expose the WSDL through a different unprotected
    URI while still dynamically generating it?
    Mike

    I am aware that this is an old post, but I have never seen a good answer for this
    question and have been struggling with it myself. How do you protect web services
    with basic authentication, but at the same time expose the generated WSDL?
    The best way I have found is to protect only post requests:
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>myservice</web-resource-name>
    <url-pattern>/myservice/*</url-pattern>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>SomeRoleName</role-name>
    </auth-constraint>
    </security-constraint>
    Since web service requests are posts, security does kick in on the invocation.
    The WSDL 'get' requests are allowed. This setup does break the WLS generated test
    harness, however, since there is no way to authenticate prior to the service invocation.
    Anyone have any better suggestions?
    Anyone know why servicegen doesnt put the WSDL in a separate directory from the
    services to make things a bit easier?
    Mike
    "Mike Gilbode" <[email protected]> wrote:
    >
    I want to protect my web service URI with HTTP basic authentication.
    I've modified
    the web.xml and protected my web service URI and all works fine. However,
    this
    also protects the dynamically generated WSDL URL.
    Is there a way to pass the user/password to the JAX-RPC client for the
    WSDL URL?
    If not, what is the best way to expose the WSDL through a different
    unprotected
    URI while still dynamically generating it?
    Mike

  • OSB, REST, and browser authentication with OAM

    All,
    I'm looking for some advice regarding the consumption of REST services (from the users browser) in an environment that utilizes OAM security and the Oracle Service Bus. Let me set the stage.
    We've configured an instance of OAM with OHS acting as a proxy to our applications. One of our apps wants to pull some data (using an AJAX call) from a service directly to the browser. The service is currently protected using HTTP Basic authentication. This works fine for Java apps that want to make those service calls directly, but not so well when it is the browser that wants to make the call.
    My assumption (up to this point) had been that I would be able to utilize the OAM Identity Asserter on the service bus in much the same way that we have been using it to propagate identity to our application servers. After speaking with some of the service developers (guys more intimately familiar with the OSB than I am) we haven't tried to do this before and are unsure of the proper implementation to acheive our goal.
    So, with all of that being said, am I barking up the wrong tree? Would it be incorrect to have a REST service written that is serviced by two different OSB proxies? One that enforces HTTP Basic, and one that (somehow) uses the OAM_REMOTE_USER and an appropriate identity asserter to pass identity in such a manner that the OSB would be able to enforce security in that manner?
    Is there a better way to secure REST services being made from the browser?
    Thank you for any help/direction you can provide.
    --james                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

    If you want to use custom authentication plugin then OAM provides a way to create a custom authentication module and you can orchestrate your steps based on your conditions. See http://docs.oracle.com/cd/E21764_01/doc.1111/e12491/authnapi.htm for more details.
    Hope this helps,
    Sagar

  • Machine Authentication and User Authentication with ACS v5.1... how?

    Hi!
    I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
    This is the goal:
    On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
    Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
    I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
    I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
    "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
    But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
    I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
    Thank you.

    Hello again.
    I found out how to do this now..
    What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
    After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
    You must also remember to change the AuthMode option in Windows XP Registry to "1".
    What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
    That would have plugged a few security holes for me.

  • How to open files with "return" key and delete files with "delete" key?

    Hi friends,
    It's been over a week since I got my iMac and I'm loving it. However, while I'm adapting alright to 'mac' key shortcuts (e.g. using the COMMAND-S for save as opposed to CONTROL-S used in PC).
    However, there are 2 things that are annoying me greatly right now.
    1. I like selecting files with keys as opposed to using the mouse. I make animations and prefer keyboard shortcuts. However, when I hit "return", instead of opening the file it goes into file-renaming mode. How do I change this? Likewise, I would like to delete files by hitting the delete key. This does not work - how do I change this?
    2. When I click SHIFT key sometimes, it gets 'stuck' - which is annoying because I start typing CAPITALS when I wasn't aware I've activated the CAP-LOCK key. How do I get rid of this? Like, I don't want to hit SHIFT for instance, and have that up arrow thing 'stuck' there.
    Your help would be greatly appreciated! Thanks!
    iMac G5   Mac OS X (10.4.9)  

    Hi
    Thanks for the star.
    If you went into Mac Help & searched, 2 results come up:
    Full keyboard access shortcuts for interacting with items (for selecting & activating controls).
    Full keyboard navigation keyboard shortcuts (for navigating Desktop, Windows, Menu bar etc)
    From the lists, select the link that closely describes your situation.
    I have to say that I can't reproduce your problem, does this happen just in applications or in everything? I don't know if it's to do with this but pressing Shift 5 times turns on Sticky Keys & Option(Alt) 5 times to turn on Mouse Keys (System Preferences>Universal Access>Keyboard).
    After typing "Sticky Keys" into Mac Help, I found this:
    "Pressing a group of modifier keys as a sequence
    To perform many tasks on your computer, you need to press one or more modifier keys (Shift, Command, Option, and Control) at the same time as another key. For example, pressing Shift-Command-Q in the Finder opens the Logout dialog.
    If you have difficulty pressing several keys at once, you can make it easier to press a set of keys by turning on Sticky Keys in the Universal Access preferences pane. With Sticky Keys turned on, you can press a set of modifier keys as a sequence. As you press each key, the symbol for the modifier key appears on the screen.
    Choose Apple menu > System Preferences and click Universal Access. Then click Keyboard.
    Select the On button next to Sticky Keys.
    To hear a sound whenever the computer registers that you have pressed a modifier key, select "Beep when a modifier key is set."
    To see an icon indicating which modifier keys you have pressed, select "Display pressed keys on screen."
    You can also use Slow Keys to adjust the amount of time between when you press a key and when it is activated."
    Any of this close to your problem?
    Steve
    Edit: I'm right, it's Sticky Keys:
    http://www.macusenet.com/190284-post2.html

  • Message Digest with symmetric key

    Hi,
    I am new to Java Cryptography.
    My requirement is i want to digest a message using RSA generated 128 bit key and i am not able to find any functions to generate Symmetric key and also to digest a message with key. Can any one please tell me how to do. Any help would be appreciated. This is very urgent requirement.
    Thanks in advance.
    Cheers,
    Sreedhar Gupta

    RSA use a key pair :
    you can sign with the private key
    and you verify signature with public key.
    for this use class : java.security.Signature
    To have a "message digest" with a symmetric key
    use the class : javax.crypto.MAC

Maybe you are looking for

  • Paste text in table in a single row

    Hi, When I copy several paragraphs of text and paste it in a table, Pages automatically insert each paragraph in it's own row, adding rows as necessary. Most of the time, I don't want this and I have to merge the cells. Is there a way to paste text a

  • Error while working with OracleApps Adapter please help mee

    <bindingFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="code"><code>1086</code> </part><part name="summary"><summary>file:/F:/product/10.1.3.1/OracleAS_2/bpel/domains/test/tmp/.bpel_RepairOrder_1.0_4bac0e828ef344d37656722b167615db.

  • Finicky e-mail is driving me crazy. Please help.

    I have an iphone 3G. I live in Japan and got the iphone through a Japanese cellphone service. Each cell phone in Japan has it's own personal e-mail address, and e-mailing has always been quick and efficient: someone sends you an e-mail it goes to you

  • Binding question i think (:

    I'm working on a website (holiday homes for rent). One of the pages is contact.cfm. People visiting the site will come to that page after clicking a text link " Contact us about this house"on a result page with available holiday homes. The problem is

  • Correct Urls for iCal / Sunbird / Lightning

    Hi, Was struggling with this through a few threads etc., and happened upon the answer from playing around with the URLS on my own server. This works for HTTPS:// (I presume for normal HTTP traffic, change to HTTP:// instead, and change port to 8008)