Modifying outbound header for basic authentication

Similar Messages

• Safari seems not sending If-Modified-Since header for main address

  Not sure I'm in the appropriate forum but let's try (if there is more appropriate one please advise).
  When Safari requests a resource (page, image...) to a web server it doesn't provide If-Modified-Since header for the main resource of the request. That means the web server can't answer "resource not modified, use your cache". This is not the behavior of other browsers and not good in terms of performance for the web server as well as for the user.
  However Safari sends this If-Modified-Since for the sub-elements of the resource (e.g. images, css in a page...). Which is good.
  Is there a way to influence Safari's behavior to provide a If-Modified-Since for the main resource requested to the server?
  acama,

  Found out the answer.  IIS 6 does in fact steal "If-Modified-Since" and "If-None-Match" headers, but only on custom 404 redirects.  That's actually what I'm doing here (that'll teach me not to put details in a question when I think they're irrelevant -- actually I just forgot).
  Here's two discussions on the issue (they're using ASP, but apparently it's the same for ColdFusion):
  http://www.eggheadcafe.com/conversation.aspx?messageid=32839787&threadid=32839787
  http://www.webmasterworld.com/microsoft_asp_net/3935439.htm

• Proxy for Basic Authentication

  Hi,
  Can someone point out if I am on the right track about this ?
  I have an application which uses Basic Authentication as its authentication mechanism.I have defined the Application for single sign-on using the External Applications option in the Portal Builder.
  I have read further down in the documentation (Configuring and Administering External Applications) http://download.oracle.com/docs/cd/B10464_01/manage.904/b10851/ext_apps.htm#1009009
  that there is something called Proxy Authentication for Basic Authentication Applications.
  Can someone explain this to me as I am unsure as to whether I need to set this proxy up as well ? The diagram in the documentation appears to be what I am trying to do.
  As I mentioned in a previous post Basic Authentication doesn't appear to be working for me. The very first time I authenticate I get straight into the application but any attempts after that results in the Basic Authentication dialog box appearing even though I have checked the "Remember my login information" tick box.
  Any ideas ?
  Thanks,

  Thank you for the response. I tried with a pass-through service account but could not get it working.
  This is what I did:
  1. I have a SOAP business service with WS-Policy with username security assertion.
  2. I created a SOAP business service with the wsdl. OSB EPE editor said OSB does not support WSSE 1.2 policies. I extended my OSB domain to include OWSM and in the business service policy tab, selected OWSM policy option and added "oracle/wss_username_token_client_policy". (Now I am not sure how the user credentials in HTTP BASIC (headers) will be propagated to WS-Security headers)
  3. I created a pass through service account and added this service account in the SOAP business service. I am able to configure service account only when I choose HTTP BASIC authentication in the business service. This did not propagate the username from HTTP to WS-Security. I see errors in the log like "WSM-00015 : The user name is missing.". Looks like wss_username_token_client_policy is looking for username in csf-key map. I do not know this map gets populated internally. If I have to do it programmatically I saw there is java code to set BindingProvider.USER_NAME in the request context. How do I do this from OSB designer ?
  4. I tried creating a wrapper proxy around the secure SOAP business service and include the wrapper proxy in my main proxy but could not get it working. I get lof of NullPointers.
  I am missing something. Can you please help ?

• JCAPS 5.12 - modifying SOAP header for webservice Invocation

  I am trying to call an external web service from JCAPS 5.1.2 and need to set a token in the SOAP header. I am able to do this in other client implementations, however, the methods to modify the header don't seem to be exposed within JCAPS 5.1.2 or I do not know how to find the methods.
  Has anyone tried this before?

  Hi Experts,
  I'm trying to protect a web service deployed in jcaps 5.1.1, using SAML assertions against an Access Manager 7/7.1, the web services clients are both, web and standalone applications, I also have read netbeans tutorials, that expose how to implement identity webservices using AppServer 9.1 + AccessManager 7.1 using the SAML Holder of key and other security mechanisms, but this implementation requiere modifications to the server.policy file to add support to SOAP message security providers and HttpServlet message security providers, the addition of a library called amwebservicesprovider.jar to the classpath suffix (this library implements the jsr-196 java Authentication Service Provider Interface for Containers) and aditional configuration required in the AM side that is not detailed in the tutorials.
  Could someone guide me on how to protect the acces to a web services deployed in the jcaps logicalhost based on AM roles assigned to users?
  Any help is aprecciated
  Juan

• API Call For Basic Authentication

  Hi,
  Does anyone know whats the API call that WebLogic makes internally to
  perform basic authentication. Is ServletAuthentication the only way to
  programmatically log in a user.
  Thanks
  Sameer

  If the target node for your operation is a sibling, I believe you're going to have to pass the parent node of the sibling into the AddNode() API call when this operation occurs within a version. Note that copyNodesAcrossVersions is a new method that has a copyAsSibling parameter, but AddNode() does not.
  Edited by: Naren Truelove on Nov 12, 2012 3:12 PM
  ...grammatical correction...

• JAX-WS setting header HTTP basic authentication

  Hello
  How can I set HTTP header vars in JAX-WS?
  I found a lot of questions but no answer works.
  This is my code:
  Service service = Service.create(url, portName);
  OnlineSIUIDef hello = service.getPort(OnlineSIUIDef.class);
  Map<String, Object> contextws = ((BindingProvider)service).getRequestContext();
  contextws.put(BindingProvider.USERNAME_PROPERTY, SIUI_USERNAME);
  contextws.put(BindingProvider.PASSWORD_PROPERTY, SIUI_PASSWORD);
  All examples I found on the web are based on such a structure.
  Problem is that first is created a new service, then the header vars are changed.
  But this can't work because when the service is created(at line 1) error 401 is already thrown.
  What is the equivalent in JAX-WS of the following lines?
  HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
  con.setSSLSocketFactory(factory);
  con.setRequestProperty(varName, val);
  Can someone help with this problem?
  I'm looking for a solution for over a day and I can't find nothing usefull about this.
  Thank you.

  Hi
  Seems that the URL you are referring in Service.create() is a basic auth protected URL(wsdlLocation) ie why you are getting 401 error.
  there are different options to resolve this.
  Authenticator.setDefault(new Authenticator() {
  @Override
  protected PasswordAuthentication getPasswordAuthentication() {
     return new PasswordAuthentication(
        SIUI_USERNAME,
        SIUI_PASSWORD.toCharArray());
  try to add the above code ,before creating the URL.
  2 Download the WSDL from Endpoint and refer that WSDL locally,and dynamically hook the correct endpoint using
  contextws.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,"ur Endpoint");
  Haven't tried this...
  custom SSLSocketFactory come in picture only if you have protected your webservice using one way/2 way SSL.
  Thanks,
  Paul

• Multiple popups for username/password for basic authentication.

  Safari 4.0.5 (5531.22.7) gives multiple popups for username/password while requesting a page which has more than one 'secure' items in it (basic auth). We expected that Safari to reuse the credentials entered the first time around and pass it on for subsequent requests. (Although RFC 2617 specifies that the credentials 'may' be reused, not really sure what Safari is doing here, though this seems to be the behavior on other popular browsers).
  There's another discussion that listed this problem but that too seems to be unresolved yet (http://discussions.apple.com/message.jspa?messageID=2074214).

  HI and welcome to Apple Discussions...
  If you have tried the suggestions at that link but nothing worked, update Safari.
  Apple Menu / Software Updates.
  Repair disk permissions after the updates are installed.
  Carolyn

• Basic authentication not working for portal application

  HI All,
  i have a portal application where I have a servlet. i want to use basic authentication for this servlet.
  to archive this i have followed http://docs.oracle.com/cd/E14571_01/web.1111/b31974/adding_security.htm
  and configured basic authentication, also add web-resource in web.xml for the url to access the servlet.
  my web.xml look like (copied is only security section from web.xml)
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>adfAuthentication</web-resource-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </web-resource-collection>
      <web-resource-collection>
        <web-resource-name>All</web-resource-name>
        <url-pattern>/faces/Auto-connect</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
      <role-name>valid-users</role-name>
    </security-role>
  this works when in run the application in JDeveloper i.e. when i try to access http://localhost:7101/MyApp/faces/Auto-connect it ask for basic authentication (the popup) and when i access http://localhost:7101/MyApp/ it takes me to home page for login , but doesn't work when i deploy the application in weblogic 11g.(deployment done using Enterprise Manager console (EM console) (for both URL no popup).
  i tried Google around it but didn't get any solution please provide your input and guide me.
  thanks
  -somesh

  Hi,
  Before deploying, have you changed:
  Application properties -> Deployment
  Remove the selection from "Auto Generate and Syncronize weblogic-jdc.xml ....."
  Kind Regards

• HTTP Basic authentication for proxy service and its wsdl?

  Hello:
  For some reasons I needed to configure the HTTP basic authentication on a proxy service at OSB 11g. Everything was OK until I realized that, additionally to the authentication when calling the service, the OSB also asks for credentials when I try to get that proxy wsdl file.
  My requirements are to secure the proxy service when is called only, not when retrieving the wsdl.
  Is this possible to configure on OSB / WLS? How?
  Greetings!
  Edited by: user4483647 on 02-sep-2010 12:59
  Edited by: user4483647 on 02-sep-2010 13:25

  If I'm not wrong, Basic authentication is Transport level feature. So passing User/Password in SOAPHeader doesn't make sense. SOAP message can only be sent when you have a HTTP Connection open. During opening of HTTP connection User/Password is required for basic authentication.
  http://www.student.nada.kth.se/~d95-cro/j2eetutorial14/doc/Security7.html#wp156943
  Edited by: mneelapu on Apr 2, 2009 2:09 PM

• How to call a web service from BPEL that requires HTTP basic authentication

  Hi All,
  I need to calling some Web Services from BPEL (SOA 10.1.3.1 production running on XP machine). The services require HTTP basic authentication.
  I have tried adding httpUsername and httpPassword properties to the ParnterLink, and I see in BPEL Console that they are deployed by checking the descriptor page. But I still get a SOAP fault, HTTP 401: Unathenticated.
  I have also tried using basicHeaders (from memory) = credentials, httpBasicUsername, and httpBasicPassword. Same result.
  I have done a packet trace using Ethereal, and the headers do not seem to contain the userid and password at all.
  Can anyone help?
  Thanks,
  Mark Nelson

  Thanks Bas,
  I have resolved the issue. The provider of the Web Service had not configured if for Basic Authentication. For some reason it worked when they tested, or maybe the did not test. The only thing I had to change was to use:
  <property name="basicHeaders">credentials</property>
  <property name="basicUsername">WMDATA</property>
  <property name="basicPassword">WMDATA</property>
  Instead of:
  <property name="httpUsername">WMDATA</property>
  <property name="httpPassword">WMDATA</property>
  I don’t know why this is, maybe because it is an Axis Web Service.
  Sorry for wasting your time.
  Regards Pete

• Reverse Proxy + Policy Agent generates unwanted Basic Authentication

  We have a policy agent installed on the SJWS 7.0u1. It's configured as a reverse proxy to a server running on another port on the same machine as the web server. The policy agent catches the request and redirects to the access manager, which authenticates fine. The access manager then redirects back to the web server, which then issues presents the basic authentication dialog. (We did not configure it for basic authentication).
  In a previous post I was directed to check my DNS entries. Both servers can resolve each other without problem. I can type nslookup server.practicegreenhealth.org, nslookup server (these are the web server addresses) and they both resolve to the correct ip. I can type nslookup access.practicegreenhealth.org and nslookup access and they both resolve to the correct IP.
  I had the application deployed as a JRuby application within the SJWS's servlet container and the setup worked fine. I switched back to using SJWS as a reverse proxy to application running as its own instance and am now presented with the basic auth dialog. I can hit the application fine both from the box it's running on and if I disable the policy agent. It's just the combination of the reverse proxy configuration + the policy agent that doesn't seem to work.
  Edited by: phoehne on Jun 23, 2008 12:40 PM

  what does the server error log say ? you might want to increase the log level to finest (config/server.xml change info to finest) and restart and look at the server error logs. this could provide us some insight on what is happening. most likely some config parameters in obj.conf need to be fine tuned.

• Weblogic server BASIC Authentication not prompting for username

  I created a very simple Weblogic 10.3.5 web application with BASIC Authentication that for some reason doesn't prompt for the username and password. I believe the web.xml and weblogic.xml are created properly. The entire application is below.
  It consists of two files:
  index.html -- that anyone should be able to load
  remoteuser.jsp -- that only people in 'group' should be able to load
  I added an <auth-constraint> for all JSPs (*.jsp), such that only users in 'group' should be able to load them. However, when I load the url "/remoteuser.jsp", it displays "The remote user is null", and doesn't prompt for a username and password. The causes the JSP to also print out null instead of the remote user's name.
  The <auth-method> is, of course, set to BASIC.
  I currently don't even have any groups defined in Weblogic's Security Realm, because I want to watch it fail first.
  According to this Weblogic documentation (http://docs.oracle.com/cd/E15051_01/wls/docs103/security/thin_client.html#wp1037337), I believe that I'm doing everything correctly.
  Do I have to modify the Weblogic Security Realm's Authentication Provider? Or some other setting?
  I know that I'm doing something silly, but can't see it. Please help!
  SOURCE FILES
  web.xml
  <web-app>
  <welcome-file-list>
  <welcome-file>index.html</welcome-file>
  </welcome-file-list>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>JSPs</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>group</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>group</role-name>
  </security-role>
  </web-app>
  weblogic.xml
  <weblogic-web-app>
  <security-role-assignment>
  <role-name>group</role-name>
  <principal-name>group</principal-name>
  </security-role-assignment>
  </weblogic-web-app>
  remoteuser.jsp
  <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
  pageEncoding="ISO-8859-1"%>
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  <html>
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
  <title>Remote User</title>
  </head>
  <body>
  <p>
  Only users in "group" should be able to load this page.
  </p>
  <p>
  The remote user is <%= request.getRemoteUser() %>
  </p>
  </body>
  </html>
  index.html
  <html>
  <head><title>WebLogic Test</title></head>
  <body>
  Everyone should be able to see this.
  </body>
  </html>

  Hi,
  Before deploying, have you changed:
  Application properties -> Deployment
  Remove the selection from "Auto Generate and Syncronize weblogic-jdc.xml ....."
  Kind Regards

• How to set up and test the Basic Authentication for HTTP protocol

  Hi,
  I tried configuring the password based Basic Authentication for sending xml document using ebMS - HTTP protocol. I set username and password while configuring the transport server for both trading partners. I want to know, is that sufficient for basic authenticaton. When I open the URI http://localhost:7778/b2b/transportServlet, it is not asking any authentication (username/password). Please note that I have not used SSL certificate. Anyone please help me out to configure Basic authentication.

  Hi Ramesh,
  Thanks for ur response. Could you please tell me where to set the Additional Transport header : authtype-basic#realm=myRealm(in which property file). In enqueue code, I could see the following attributes
  queue
  msgID
  replyToMsgID
  from
  to
  eventName
  doctypeName
  doctypeRevision
  msgType
  payload
  attachment
  subscriber
  Is it possible to set username/password in the enqueue attributes?
  Do i need to add username/password and Transport header in the input XML and defined that elements in xsd?

• Ignoring Http basic authentication header in wls 7.0.sp2 web service servlet (weblogic.webservice.server.servlet.WebServiceServlet)

  Hi!
  We need to implement authentication using our own methods, and the authentication
  information is provided to the web service implementation in a basic authentication
  header. The problem is, that the servlet
  weblogic.webservice.server.servlet.WebServiceServlet, which handles web services
  in
  wls 7.0.sp2, always attempts to perform authentication, if the header is present.
  Is there any way to circumvent this, because we want to implement authentication
  on our own?
  I already know two workarounds:
  The best would of course be to implement a custom security realm for our own
  authentication system. This is not an option, implementing an own security
  realm is overkill for this specific web service.
  The other way would be to route the requests by way of a custom servlet, which
  would
  remove the basic authentication header, and put the authentication info in custom
  headers, such as x-auth: <user:password>, or smthng similar, and after successful
  authentication, make a call to bea's servlet weblogic.webservice.server.servlet.WebServiceServlet.
  But still, I'd like to know if there is any way to tell bea's servlet to ignore
  the basic
  authentication header?
  Oh yeah, by the way, this is URGENT, as always. (really!! ;)
  Toni Nykanen

  Currently there is no option to turn off security check.
  I think you can use a servlet filter mapped to the URL
  of your service, instead of a proxy servlet?
  Regards,
  -manoj
  http://manojc.com
  "Toni Nykanen" <[email protected]> wrote in message
  news:3ef1577b$[email protected]..
  >
  Hi!
  We need to implement authentication using our own methods, and theauthentication
  information is provided to the web service implementation in a basicauthentication
  header. The problem is, that the servlet
  weblogic.webservice.server.servlet.WebServiceServlet, which handles webservices
  in
  wls 7.0.sp2, always attempts to perform authentication, if the header ispresent.
  Is there any way to circumvent this, because we want to implementauthentication
  on our own?
  I already know two workarounds:
  The best would of course be to implement a custom security realm for ourown
  authentication system. This is not an option, implementing an own security
  realm is overkill for this specific web service.
  The other way would be to route the requests by way of a custom servlet,which
  would
  remove the basic authentication header, and put the authentication info incustom
  headers, such as x-auth: <user:password>, or smthng similar, and aftersuccessful
  authentication, make a call to bea's servletweblogic.webservice.server.servlet.WebServiceServlet.
  >
  But still, I'd like to know if there is any way to tell bea's servlet toignore
  the basic
  authentication header?
  Oh yeah, by the way, this is URGENT, as always. (really!! ;)
  Toni Nykanen

• Basic authentication only works for some webservices?

  I'm trying to call the SAP BI/BO REStful webservices using basic authentication. I enabled basic authentication in the WACS and tested with this service:
  http://host:6405/infostore/16422
  This works! I can get the report metadata as either xml or json. However, whenever I try an url with "raylight" in it, I get an authentication problem:
  http://host:6405/biprws/raylight/v1/documents/16422/parameters
  error_code: "1"
  message: "No session found in HTTP header X-SAP-LogonToken"
  Why do some services work with basic authentication and others absolutely require the logontoken? I would like to avoid the logontoken if possible. I tested by logging on with the token and that does work, so it's not like my credentials are wrong.
  I also found the a problem with the raylight logontoken described here: RESTful Raylight Error Incorrect session
  Apparently, there needs to be double quotes around the logontoken for it to work. Could this "bug" be the reason why basic authentication doesn't work? I already tfried to put double quotes around and inside my base-encoded value but it still gives the same error.

  Hello,
  Raylight doesn't support basic authentication because it required a permanent session to work. Internally, we have to manage a "cache" to support subsequent REST calls and this is not possible using basic authentication.
  Regards,
  Anthony