OWSM :: Unable to satisfy WSSE Basic Authentication

Similar Messages

• Proxy for Basic Authentication

  Hi,
  Can someone point out if I am on the right track about this ?
  I have an application which uses Basic Authentication as its authentication mechanism.I have defined the Application for single sign-on using the External Applications option in the Portal Builder.
  I have read further down in the documentation (Configuring and Administering External Applications) http://download.oracle.com/docs/cd/B10464_01/manage.904/b10851/ext_apps.htm#1009009
  that there is something called Proxy Authentication for Basic Authentication Applications.
  Can someone explain this to me as I am unsure as to whether I need to set this proxy up as well ? The diagram in the documentation appears to be what I am trying to do.
  As I mentioned in a previous post Basic Authentication doesn't appear to be working for me. The very first time I authenticate I get straight into the application but any attempts after that results in the Basic Authentication dialog box appearing even though I have checked the "Remember my login information" tick box.
  Any ideas ?
  Thanks,

  Thank you for the response. I tried with a pass-through service account but could not get it working.
  This is what I did:
  1. I have a SOAP business service with WS-Policy with username security assertion.
  2. I created a SOAP business service with the wsdl. OSB EPE editor said OSB does not support WSSE 1.2 policies. I extended my OSB domain to include OWSM and in the business service policy tab, selected OWSM policy option and added "oracle/wss_username_token_client_policy". (Now I am not sure how the user credentials in HTTP BASIC (headers) will be propagated to WS-Security headers)
  3. I created a pass through service account and added this service account in the SOAP business service. I am able to configure service account only when I choose HTTP BASIC authentication in the business service. This did not propagate the username from HTTP to WS-Security. I see errors in the log like "WSM-00015 : The user name is missing.". Looks like wss_username_token_client_policy is looking for username in csf-key map. I do not know this map gets populated internally. If I have to do it programmatically I saw there is java code to set BindingProvider.USER_NAME in the request context. How do I do this from OSB designer ?
  4. I tried creating a wrapper proxy around the secure SOAP business service and include the wrapper proxy in my main proxy but could not get it working. I get lof of NullPointers.
  I am missing something. Can you please help ?

• Calling Web Service with Http Basic authentication in SOA 11g

  I am calling a webservice which has http basic authentication attached to it. Thus i am adding 'oracle/wss_http_token_client_policy' OWSM policy to the WS refrence in my composite in Jdeveloper,but it doesn't showme the option of providing the http Username and http Password. The only key it is showing me is cf.key.
  Am i missing some steps?
  Please let me know.
  Note - I am working on SOA 11.1.1.4.
  Regards
  Ayush

  Hi Ayush,
  Please refer -
  http://biemond.blogspot.com/2010/08/http-basic-authentication-with-soa.html
  Regards,
  Anuj

• Consuming a Web Service via SSL with Basic Authentication

  Hello,
  I have a simple web service (returns a parameter value) and want to consume it. Therefore I have generated a proxy for its in Netweaver Studio SP13.
  When I set up the web service to be accessed via HTTP and Basic Authentication (Username/Password), everything is fine. When I set up the web service to communicate via HTTPS, I get the following error message in my client:
  java.rmi.RemoteException: Service call exception; nested exception is:
       java.lang.NullPointerException
       at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:87)
       at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:96)
       at priv.se.wsclient.MultiSecSSL.main(MultiSecSSL.java:38)
  Caused by: java.lang.NullPointerException
       at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.disconnect(HTTPSocket.java:625)
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.HTTPTransport.closeSession(HTTPTransport.java:396)
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1312)
       at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:80)
       ... 2 more
  Testing the web service with WebServiceNavigator and/or by using a generated WebDynpro Client results in the following error:
  000D604C66BE004E0000001300000AFC00040922E0160632 : An error occurred during processing the timestamp. The error was: com.sap.security.core.ws.wss.NoSecurityHeaderException No wsse:Security header has been defined for role soap:finalActor. Please verify the policy configuration..
  But my main focus is on the client implementation based on a proxy. Here comes the client's code:
  public class MultiSecSSL {
      public static void main(String[] args) {
          try {
              MultiSecuritySSLAuthImpl serviceInterface = new MultiSecuritySSLAuthImpl();
              SSLBindingStub service = (SSLBindingStub)serviceInterface.getLogicalPort(MultiSecuritySSLAuthViDocument.class);
              SecurityProtocol protocol = (SecurityProtocol) service._getGlobalProtocols().getProtocol("SecurityProtocol");
              AuthenticationContext auth = protocol.getAuthenticationContext();
              auth.setIgnoreSSLServerCertificate(true);
              auth.setUsername("cfpcompany");
              auth.setPassword("demo");
              String ret = service.pingText("Called service MultiSecurity via SSL");
              System.out.println(ret);
          } catch (Exception e) {
               e.printStackTrace(System.out);
  Here comes the logical port information of the generated proxy:
  <?xml version="1.0" encoding="UTF-8"?>
  <LogicalPorts Name='MultiSecuritySSLAuth' InterfaceName='priv.senw04.wsproxy.multisec_ssl.MultiSecuritySSLAuth'>
    <LogicalPort Name='SSLPort_Document' Endpoint='https://192.168.129.76:50001/MultiSecuritySSLAuth/SSL?style=document' BindingName='SSLBinding' BindingUri='urn:MultiSecuritySSLAuthWsd/SSL/document' BindingImplementation='SOAP 1.1 HTTP Binding with Attachments' StubName='priv.senw04.wsproxy.multisec_ssl.SSLBindingStub' Default='true' InterfaceName='priv.senw04.wsproxy.multisec_ssl.MultiSecuritySSLAuthViDocument' Original='true' Valid='true'>
      <globalFeatures>
        <Feature Name='http://www.sap.com/webas/630/soap/features/headers/' Provider='SoapHeadersProtocol' Original='false'>
        </Feature>
        <Feature Name='http://www.sap.com/webas/630/soap/features/session/' Provider='SessionProtocol' Original='false'>
          <Property Name='SessionMethod' Value='httpCookies'>
          </Property>
        </Feature>
        <Feature Name='http://www.sap.com/webas/630/soap/features/authentication' Provider='SecurityProtocol' Original='true'>
          <Property Name='AuthenticationLevel' Value='None'>
          </Property>
          <Property Name='AuthenticationMechanism' Value='HTTP'>
          </Property>
          <Property Name='AuthenticationMethod' Value='BasicAuth'>
          </Property>
          <Property Name='SupportsSSO2Authentication' Value='false'>
          </Property>
        </Feature>
        <Feature Name='http://www.sap.com/webas/630/soap/features/transportguarantee' Original='true'>
          <Property Name='Level' Value='No'>
          </Property>
          <Property Name='TLSType' Value='SSL'>
          </Property>
        </Feature>
      </globalFeatures>
      <localFeatures>
        <Operation Name='pingText'>
          <Feature Name='http://www.sap.com/webas/630/soap/features/wss' Original='true'>
            <Property Name='RequestPolicy' Value='Signature'>
            </Property>
            <Property Name='ResponsePolicy' Value='None'>
            </Property>
          </Feature>
          <Feature Name='http://sap.com/webservices/authorization' Original='true'>
          </Feature>
        </Operation>
      </localFeatures>
    </LogicalPort>
  </LogicalPorts>
  To me, this looks consistent. Any idea, what is misconfigured on my machine ?

  Hi Martin,
  that is exactly, what I did.
  - Change Web Service Configuration in IDE
  - Build and Deploy the Service to my local Server
  - Check Service in Visual Administrator
  - Deleted and Regenerated the Standalone Proxy
  - Deleted and Recreated the link between CLient and Proxy Project in IDE
  - Started Client
  Here comes the section of the ws-deployment-descriptor.xml of the service. For me, it matches, what the proxy generated.
    <webservice>
      <guid>ed8363_10876a54b6d__7fe9_192_168_129_76_1135862193037</guid>
      <ejb-name-temp>MultiSecWSBean</ejb-name-temp>
      <webservice-name>
        <namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
        <localName>MultiSecuritySSLAuth</localName>
      </webservice-name>
      <webservice-internal-name>MultiSecuritySSLAuth</webservice-internal-name>
      <standard-namespaceURI>urn:MultiSecuritySSLAuthWsd</standard-namespaceURI>
      <ws-configuration>
        <configuration-name>SSL</configuration-name>
        <ejb-name>MultiSecWSBean</ejb-name>
        <service-endpoint-name>
          <namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
          <localName>SSLPort</localName>
        </service-endpoint-name>
        <wsdl-porttype-name>
          <namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
          <localName>MultiSecuritySSLAuthVi</localName>
        </wsdl-porttype-name>
        <webservice-definition-ref>
          <package>com.technidata.cfp.i3rdparty.cfpxml</package>
          <name>MultiSecuritySSLAuthWsd.wsdef</name>
        </webservice-definition-ref>
        <service-endpoint-vi-ref>
          <package>com.technidata.cfp.i3rdparty.cfpxml</package>
          <name>MultiSecuritySSLAuthVi.videf</name>
        </service-endpoint-vi-ref>
        <transport-binding name="SOAPHTTP_TransportBinding">
          <wsdl-binding-name>
            <namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
            <localName>SSLBinding</localName>
          </wsdl-binding-name>
        </transport-binding>
        <transport-address>/MultiSecuritySSLAuth/SSL</transport-address>
        <global-features>
          <feature name="http://www.sap.com/webas/630/soap/features/transportguarantee" protocol="SecurityProtocol">
            <property name="TLSType" value="SSL"/>
          </feature>
          <feature name="http://www.sap.com/webas/630/soap/features/authorization" protocol="SecurityProtocol"/>
          <feature name="http://www.sap.com/webas/630/soap/features/authentication" protocol="SecurityProtocol">
            <property name="AuthenticationMethod" value="BasicAuth"/>
            <property name="AuthenticationMechanism" value="HTTP"/>
            <property name="SupportsSSO2Authentication" value="false"/>
          </feature>
        </global-features>
        <operation-configuration uniqueViName="pingText(java.lang.String)">
          <transport-binding-configuration>
            <input>
              <property name="soapAction" value=""/>
              <property name="encodingStyle" value="http://schemas.xmlsoap.org/soap/encoding/"/>
            </input>
            <output>
              <property name="encodingStyle" value="http://schemas.xmlsoap.org/soap/encoding/"/>
            </output>
          </transport-binding-configuration>
          <feature name="http://www.sap.com/webas/630/soap/features/wss" protocol="SecurityProtocol">
            <property name="RequestPolicy" value="None"/>
            <property name="ResponsePolicy" value="None"/>
          </feature>
          <feature name="http://sap.com/webservices/authorization" protocol="SecurityProtocol">
            <property name="security-roles">
              <property name="role1" value="use_multisec_service"/>
            </property>
          </feature>
        </operation-configuration>
      </ws-configuration>
    </webservice>
  Regards,
  Stefan

• Basic authentication when calling a web service

  I am attempting to call a web service using ActionScript. The
  web service provider requires that I use HTTP Basic Authentication
  to communicate my SOAP requests. I cannot seem to get this done in
  ActionScript. If I instantiate a WebService object and call its
  SetCredentials method, I get an error "Authentication not supported
  on DirectHTTPChannel (no proxy)". I have the WebService object's
  useProxy property set to true. HELP!

  I know this is five years later on this forum but there's no solution here or on any other forum.  So after two day's of hammering this out I was able to produce a workable solution.  Create a new user account for testing.
  Wu_Xiao's explanation of the issue was dead on.  The WebService does a GET then a POST and for the GET we are unable to supply the Authorization in the header and this is why we get the popup. The POST has the Authorization but it already to late. 
  Take these actions
  1 Create a new user on the machine with the web services. Start with a simple name and password (text only)  I had issues with different users. Start clean and simple.
  2 Copy your web services a second usable service.  You'll see in my example below i have Ive copied  ServicesSECURE/Services1.asmx?WSDL to ServicesDEFINITION/Services1.asmx?WSDL
  3 Remove all of the code inside of your services making the new set of service like a definition service. Make sure all of the inputs and outputs are the same. ServicesDEFINITION will have no coding and empty returns.
  Example  
  [WebMethod]
          public String CountUsers(string group)
              return "";
  4 Implement the code below. Call the init() right away to instantiate the web service and wait until it loads to use any of the services.  I use a button event to test.
  private var testws:WebService = new WebService;
    private function init():void
    testws.wsdl="http://test.com/ServicesDEFINITION/Services1.asmx?WSDL";
    var encoder:Base64Encoder= new Base64Encoder();
    encoder.insertNewLines = false; // see below for why you need to do this
    encoder.encode("USERNAME:PASSWORD");
    testws.httpHeaders = {Authorization:" Basic " + encoder.toString()};
    testws.loadWSDL();
    testws.addEventListener("load", wsdlLoadHandler);
    protected function test_clickHandler(event:MouseEvent):void
    testws["CountUsers"].addEventListener(mx.rpc.events.FaultEvent.FAULT,testFaultHandler);
    testws["CountUsers"].addEventListener(mx.rpc.events.ResultEvent.RESULT,testResultHandler) ;
    testws.endpointURI="http://test.com/ServicesSECURE/Services1.asmx?WSDL";
    testws.getOperation("CountUsers").send("Test");
    protected function wsdlLoadHandler (event:LoadEvent) : void
    //the service has to load before using the getOperation function
    //you could try using mx.core.UIComponent.callLater from
    //this listener and call the gettestws.getOperation("Co....
  So you'll see that the ServicesDEFINITION (GET) is called and grabs the definition of the Service1 service but this unsecured services is useless because we've removed all of the code.  After the definition GET is called we can change the end point using endpointURI and perform the POST against our secure ServicesSECURE.

• PROXY BASIC AUTHENTICATION

  Hello.
  I'm facing problem during client connection throungth proxy.
  The error messagge is:
  java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 302 Moved Temporarily"
       at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:923)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
       at updateAuto.getInputStream(updateAuto.java:494)
       at updateAuto.downloadFile(updateAuto.java:422)
       at updateAuto.start(updateAuto.java:263)
       at Avvio.main(Avvio.java:8)
  The question is: how i set the basic authentication? I found two example:
  URL url= new URL(fileName);
  URLConnection connection= url.openConnection();
  connection.setRequestProperty("Proxy-Authorization","Basic " + new sun.misc.BASE64Encoder().encode(proxyUser + ":" + proxyPassword).getBytes()));
  URL url= new URL(fileName);
  URLConnection connection= url.openConnection();
  connection.setRequestProperty("Proxy-Authorization", new sun.misc.BASE64Encoder().encode(proxyUser + ":" + proxyPassword).getBytes()));
  So, i MUST specify the Basic before the user-password or not?
  I'm in the rigth direction or i miss something?
  Best regards
  Gianluca Chiodaroli

  I was also struggled to get this thing done for long time and finally mangaged to got through. Following code would demonstrate how you could connect to a https url through a proxy sever. You have to replace your proxy server, port, userid/password and your https URL in the appropriate places.
  Also follow the instructions given in the java comments blocks to download the deigital certifactes of your https sites and configure them in the filestores.
  I have tested this code with JDK 1.4
  Good luck. Dushan Karawita
  import com.sun.net.ssl.*;
  import javax.commerce.util.BASE64Encoder;
  import java.net.*;
  import java.io.*;
  import java.util.*;
  * Title: HttpsPrototye
  * Description: This will demonstrate how to connect to a https url through
  * a proxy server. It is very difficult to find a proper documentation
  * describing how to implement this feature.
  * @auther : Dushan Karawita ([email protected])
  public class HttpsPrototype {     
       * Performs the proxy tunneling to access the https url.
      public static void testHttps() {
          HttpsURLConnection httpsCon = null;
          DataInputStream dis = null;
          InputStream is = null;
          String response = null;
          String cookieString = null;
          URL sslUrl = null;
          try {
               * Sets the https proxy server and the https proxy port.
               * @todo: Replace the <proxy.server.com> with your proxy server's
               * IP address and replace with the correct port.
              System.setProperty("https.proxyHost", "<proxy.server.com>");
              System.setProperty("https.proxyPort", "80");
               * Add the route to your cacerts filestore (or a filestore of
               * your choice) you'll find ca certs at java_home$/jre/lib/security
               * Seems that if you dont add this java will not always find the
               * certificate required for to trust the SSL connection.
               * Note if you still get a CertificateException "could not find
               * trusted certificate" then you will need to import the public
               * certificate of the website you are connecting  to into the
               * keystore using,
            keytool -import -keystore cacerts -file thecert.cer -alias thecertname
               * This command will add the "thecert.cer" file to the "cacerts"
               * filestore (if not available, it will create it). Make sure you go
               * to the place where you want to place the filestore (cacerts) and
               * run the command since it will create it in the location it's been
               * run. You can use IE to download the certificate and save it in the
               * hard disk with following steps.
               * Tools -> Internet Options -> Content -> Certificates
               * -> Immediate Certification Autherities
               * and select the certificate from the list and select "Export" and
               * follow the wizard to install it into the local hard drive. If the
               * relavent certificate is not available in the list, try to import
               * the certificate by clicking on the padlock sign of the IE when
               * you go into the secure link.
               * Following is the example of how to import the certificate in your
               * filestore.
               * try the password as "changeit"
     E:\jdk1.4.1\jre\lib\security>keytool -import -keystore cacerts -file doit.cer
               * Enter keystore password:  changeit
               * Owner: CN=*.doit.com, OU=Domain Control Validated, OU=See
               * www.ffffssl.com/cps (c)04, OU=https://services.my-choicepoint.net
               * /getit.jsp?126600646, O=*.doit.com, C=NL
               * Issuer: CN=ChainedSSL CA, O=FreeSSL, C=US
               * Serial number: 2899e49
               * Valid from: Thu Jan 29 15:14:20 GST 2004 until: Sat Jan 29
               * 15:14:20 GST 2005
               * Certificate fingerprints:
               * MD5:  44:C5:AC:10:4A:34:6E:19:0D:3A:8A:32:B5:4F:A3:C4
               * SHA1: DA:D8:11:74:B6:BA:EB:D9:98:F2:12:AF:E9:4C:73:0B:4B:FA:1D:CF
               * Trust this certificate? [no]:  y
               * Certificate was added to keystore
               * E:\jdk1.4.1\jre\lib\security>
               * You have to set the filestore where you have imported your site's
               * certificates. Here we're setting the defualt jdk filestore since
               * we have imported the ncessary certificates into the same filestore.
               * You can give different filestore if you have created your
               * filestore in a different place.
              System.setProperty("javax.net.ssl.trustStore",
                      "E:/jdk1.4.1/jre/lib/security/cacerts");
               * Before connecting with a secure URL, we must do this first :
              java.security.Security.addProvider(
                      new com.sun.net.ssl.internal.ssl.Provider());
              System.setProperty("java.protocol.handler.pkgs",
                      "com.sun.net.ssl.internal.www.protocol");
               * The https URL which you want to access.
               * If you are using the JDK defualt filestore, it is a good idea to
               * test with the https://www.sun.com url
               * @todo: Replace your https url.
              sslUrl = new URL("https://www.sun.com");
               * Opens the https URL connection.
              httpsCon = (HttpsURLConnection) sslUrl.openConnection();
              httpsCon.setFollowRedirects(true);
               * Set the Proxy user id and password for the basic proxy
               * authorization.
               * @todo: Replace the <user:password> with your proxy user id and
               * the password.
              httpsCon.setRequestProperty("Proxy-Authorization", "Basic "
                      + new BASE64Encoder()
                      .encodeBuffer("<user:password>".getBytes()));
               * Sets the normal authorization if the site itself is required to be
               * authenticated before access.
               * @todo: Replace the <user:password> with your sites user id and
               * the password.
              httpsCon.setRequestProperty("Authorization", "Basic "
                      + new BASE64Encoder().encodeBuffer("<user:password>"
                      .getBytes()));
               * Reads the coockie from the header field, so we can bind this
               * coockie with the next request header if we want to maintain our
               * session so we would be able to traverse through multiple pages
               * with the same session.
              cookieString = httpsCon.getHeaderField("Set-Cookie");
              cookieString = cookieString.substring(0, cookieString.indexOf(";"));
              System.out.println(cookieString);
               * get the input stream and creates a DataInputStream.
              is = httpsCon.getInputStream();
              dis = new DataInputStream(new BufferedInputStream(is));           
               * Reads the input stream through the DataInputStream and print the
               * response line by line.
              while ((response = dis.readLine()) != null) {
                  System.out.println(response);
              dis.close();
              is.close();
              httpsCon.disconnect();
          } catch (MalformedURLException mfue) {
              mfue.printStackTrace();
          } catch (IOException ioe) {
              ioe.printStackTrace();
       * main method to test the code.
       * @param args
      public static void main(String args[]) {
          new HttpsPrototype().testHttps();
  }

• UDDI inquiry service HTTP-Basic authentication in BPEL (10.1.3.1)

  Hi Gurus,
  I'd like to know how we can setup BPEL server for Oracle Service Registry UDDI with HTTP-BASIC authentication for inquiry service (apart of OWSM solution)?
  Imagine that in Service Registry I have defined HTTP-BASIC authentication (REGISTRY_HOME/app/uddi/services/Wasp-inf/package.xml) for inquiry service used in BPEL domain (uddiLocation key in BPEL domain configuration). And now I'd like to provide credentials. In package.xml I have this
  <service-endpoint path="/inquiry" version="3.0" name="UDDIInquiryV3Endpoint"
  service-instance="tns:UDDIInquiryV3" processing="tns:UDDIv1v2v3InquiryProcessing"
  accepting-security-providers="HttpBasic">
  <wsdl uri="uddi_api_v3.wsdl" service="uddi_api_v3:UDDI_Inquiry_SoapService"/>
  <envelopePrefix xmlns="arbitraryNamespace" value=""/>
  <namespaceOptimization xmlns="arbitraryNamespace">false</namespaceOptimization>
  </service-endpoint>
  I don't see any field with username or password. Is it automaticaly taken from security provider configured for Service Registry (for example LDAP)? If yes then it is clear.
  But what about BPEL engine, where can I provide those credentials? Is it some secret configuration file? Or only supported way is to configure it through OWSM component in order to enrich request by credentials (what about license, when customer doesn't want to use OWSM)?
  Do I miss something in this concept?
  Thanks
  Peter

  as said internally - file an ER for it pls - and I will take care of it, depending on the demand - either for 10.1.3.1 GA or 10.1.3.1 patchset ..
  we will support only HTTP Basic Auth - rest will follow per customer demand ..
  /clemens

• SAP Fiori Basic Authentication Popup

  Hi All
  Please advise on how to disable the basic authentication pop-up screen - I am unable to reach the SAP Fiori login page instead I get a basic http popup screen.
  Please advise
  RGDS
  Ted
  Tags edited by: Michael Appleby

  Hi Ted,
  Go to SICF - > /default_host/sap/bc/ui5_ui5/ui2/
  Error pages tab -> Configuration -> System logon configuration ->
  Regards,
  Tejas

• How to access SOAP web service with authentication, HTTP basic Authentication

  Dear All
  i use Flash Builder 4.5, flex 4..1, i am developing a flex client to soap webservices hosted over Glassfish 2 Java server, the web services is protected by HTTP Basic Authentication, everythime i run my code , the prombt for username and password show up, i need to pass user name and password through action script, i followed the flollowing (but was for http web service, not soap) but really did not work.
  http://stackoverflow.com/questions/490806/http-basic-authentication-wi th-httpservice-objects-in-adobe-flex-air
  http://forums.adobe.com/message/4262868
  private function authAndSend(service:HTTPService):void
          var encoder:Base64Encoder = new Base64Encoder();
          encoder.insertNewLines = false; // see below for why you need to do this
          encoder.encode("someusername:somepassword");
          service.headers = {Authorization:"Basic " +encoder.toString()};                                               
          service.send();
  Also i noticed in debug mode, always that WARNNING raised up
  Warning: Ignoring 'secure' attribute in policy file from http://fpdownload.adobe.com/pub/swz/crossdomain.xml.  The 'secure' attribute is only permitted in HTTPS and socket policy files.  See http://www.adobe.com/go/strict_policy_files for details.
  any idea ?

  Hello,
  I don't know if this could help.
  Another way to connect to a web service by SOAP and WSDL is to click on the Data/Services panel, then click on "Connect to Data/Services" and then select the "Web Service" (WSDL) icon. This could help as well.

• Help needed for using BASIC authentication through JDBCRealm

  Help needed.
  Hello,
  I am doing a degree project, so far it works fine in my local machine, I need to try it on my virtual hosting (as it is a live server).
  My project requires JDBCRealm, that is BASIC authentication loading access data from mysql database. Normally this setup can be done in Server.xml file, because my Tomcat hosting is a virtual one, I only have permission to access the web.xml file.
  My question is: is it possible to get it done in an alternative way? In web.xml? Some properties file maybe?
  Thank you very much.

  You can set this up for your context using META-INF/context.xml instead of working with server.xml.
  Make a directory called META-INF under your webapp ( it'll be at the same level as WEB-INF ). Under this, add a context.xml with all your context specific configuration including the realm. A sample is below
  <?xml version="1.0" encoding="UTF-8"?>
  <Context path="/myApp" reloadable="true">
      <Realm
          className="org.apache.catalina.realm.JDBCRealm"            
          driverName="com.microsoft.jdbc.sqlserver.SQLServerDriver"         
          connectionURL="jdbc:microsoft:sqlserver://127.0.0.1:1433;DatabaseName=myDB;SelectMethod=Cursor;"
          connectionName="username" connectionPassword="password"
          digest="MD5" userTable="users" userNameCol="userid" userCredCol="userpassword"
          userRoleTable="user_roles" roleNameCol="rolename"
      />
  </Context>Hope this helps.
  People on the forum help others voluntarily, it's not their job.
  Help them help you.
  Learn how to ask questions first: http://faq.javaranch.com/java/HowToAskQuestionsOnJavaRanch
  ----------------------------------------------------------------

• Forms based authentication + Basic authentication = no way to use the basic auth!!!!

  Hi,
  I setup a test sharepoint site, claims mode, with both the forms and basic authentication  enabled.
  I expect to see the page asking me which authentication method I want to use, but I never see this page!!!
  I have to select the windows authentication (NTLM or Kerberos) to see this page!
  why using only the Basic authentication did not prompt the user?
  and how to be authenticated using the basic authentication rather than the forms auth when both are enable for the same site?
  >I do NOT want to extend my site to have 2 zones... my question is ONLY with 1 zone configured.

  What is the business purpose for using Basic Auth over NTLM/Kerberos?
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Web Service Call with Basic Authentication does not work

  If I try to use Basic Authentication in my Web Service Client with the automatically created methods
  setUsername(inUserName)
  setPassword(inPassword)
  setAddress(inAddress)
  the application does not make a call. Did I forget something?
  Is it possible to use "Test Method" with Basic Authentication?
  Thank you.

  Thank you for your answer.
  But: I already read this article. And it doesn't help me.
  I use the following code:
              getMyServiceClient1().setUsername(inUserName);
              getMyServiceClient1().setPassword(inPassword);With this code I always get a java.lang.NullPointerException.
  The methods setUsername and setPassword are definded as follows:
  public void setUsername(String inUserName) {
          myStub._setProperty(Stub.USERNAME_PROPERTY, inUserName);
    public void setPassword(String inPassword) {
          myStub._setProperty(Stub.PASSWORD_PROPERTY, inPassword);
    }But if I look at the methods which are generated automatically by Sun Java Studio Creator I cannot find _setProperty.
  I also found this thread in your forum:
  http://swforum.sun.com/jive/thread.jspa?forumID=123&threadID=54773

• How to set up and test the Basic Authentication for HTTP protocol

  Hi,
  I tried configuring the password based Basic Authentication for sending xml document using ebMS - HTTP protocol. I set username and password while configuring the transport server for both trading partners. I want to know, is that sufficient for basic authenticaton. When I open the URI http://localhost:7778/b2b/transportServlet, it is not asking any authentication (username/password). Please note that I have not used SSL certificate. Anyone please help me out to configure Basic authentication.

  Hi Ramesh,
  Thanks for ur response. Could you please tell me where to set the Additional Transport header : authtype-basic#realm=myRealm(in which property file). In enqueue code, I could see the following attributes
  queue
  msgID
  replyToMsgID
  from
  to
  eventName
  doctypeName
  doctypeRevision
  msgType
  payload
  attachment
  subscriber
  Is it possible to set username/password in the enqueue attributes?
  Do i need to add username/password and Transport header in the input XML and defined that elements in xsd?

• How do I protect my JNLP, my JARs etc. (with Basic Authentication)???

  hi all,
  i know that there is a FAQ ( [see here|http://lopica.sourceforge.net/faq.html#obfuscate] ) answering a related question with "You can use an obfuscator...". ok, but is there really no other solution?
  this is the simplified folder structure of my application on the server:
  [application]
    [etc]
      xyz.xml
    [jars]
      myapp.jar
    launch.jnlp
  website.jsp
  initial start and basic authentication:*
  my first idea was to secure everything underneath "application" with basic authentication via my web.xml (yes, i'm aware of the security concerns). this means everybody can access my website (here: website.jsp) which contains a start button that links to "launch.jnlp". as soon as the user clicks on it, the browser opens its standard authentication dialog since launch.jsp is in a protected area. after entering the correct credentials the jnlp-file is downloaded and java web start takes over control. first of all it seems as it tries to access the same jnlp-file again (??? --> probably in order to check for changes in the jnlp file --> this is certainly not the case for the initial startup) and then wants to download the relevant jar (myapp.jar). because both resources are protected jws opens its own basic authentication dialog where i have to enter the same credentials the second time. as far as i know, there is no solution to pass the credentials between the browser and the jvm.
  second start and basic authentication:*
  if the user starts my application for the 2nd, 3rd, ... time via desktop-link (set in jnlp-file) there is no need for accessing my website with a browser. therefore only the authentication dialog of jws gets displayed. so far, so good!
  and now the actual problem:*
  during runtime my application (signed with verisign certificate and having all permissions) uses commons-vfs and commons-httpclient to access resources on the same server (e.g. etc/xyz.xml). since they're underneath the protected "application" directory as well, my application needs the same credentials the user already entered in the authentication dialog of jws. now i could retrieve these credentials by calling Authenticator.requestPasswordAuthentication() within my application and passing them to vfs and httpclient. however, doing so opens up jws' authentication dialog again. grrr!!! is there a way to prevent this?
  related thougts:*
  i know i could disable jws' default Authenticatior and set my own Authenticator which might be able to return already entered credentials without opening the dialog a second time. however, it seems that even with <property name="javaws.cfg.jauthenticator" value="none" /> jws still opens its own dialog when acessing the JNLP file and the relevant JARs during the startup/download phase. of course, who else if not jws could handle that phase? my application might not even be downloaded at this point. so i guess setting my own Authenticator would not be a solution either (at least not if i want to secure my jnlp and my jars, too). quite the contrary, it would have to open another dialog... :-(
  my current solution:*
  for the moment i use jws' default Authenticatior which allows me to easily protect all my stuff on the server side (jnlp, jar, etc). i can live with the two login dialogs at the initial startup. and instead of querying the credentials from jws' default Authenticatior at runtime, i set two system properties for username and password in the (protected) jnlp-file, query them at runtime and hand it to vfs and httpclient. this prevents the 2nd (or 3rd) dialog but is definitely not a great solution. most of all i'm not happy with the fact that this somehow "destroys" the container-based security advantage of easily configuring authorized users via a separate mechanism e.g. tomcat-users.xml. now there has to be one master-password that has to be set in the jnlp-file! grrr!
  a possible alternative:*
  i'm not sure but would it be better to secure everything with form-based authentication on the website, and dynamically generate username and password into the jnlp-file? but what happens when the admin changes the password on the server and the user starts its application via desktop-link??? in case of basic authentication i think jws would popup the login dialog again. however, if i use the old username and password generated into the jnlp it won't work. i think the user then has to access the website again. this is not good at all! :-(
  the only real solution:*
  should i write a small application which can be downloaded by everybody and on startup queries the user's credentials, validates them with the help of our server, and uses the javax.jnlp-api to download the secured JARs of my real application? this seems so much overkill! does anybody have experiences with this approach? how difficult is it to implement the whole download/update stuff with javax.jnlp?
  WHAT HAVE I MISSED???
  AM I COMPLETELY WRONG???
  WHAT IS THE EASIEST WAY???
  AND WHAT IS THE BEST WAY???
  thank you so much,
  stephan

  Not sure, whether I understood correctly, what you wanna do - but up to now I can't see any problem.
  if you have a structure like this:
  /ctxroot/
         launch.jnlp
         /app/
             *.jar
             *.whateveryou may use in your web.xml:
       <servlet>
            <servlet-name>JnlpDownloadServlet</servlet-name>
            <servlet-class>jnlp.sample.servlet.JnlpDownloadServlet</servlet-class>
       </servlet>
       <servlet-mapping>
            <servlet-name>JnlpDownloadServlet</servlet-name>
            <url-pattern>*.jnlp</url-pattern>
            <url-pattern>/app/*</url-pattern>
       </servlet-mapping>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>Application</web-resource-name>
                 <url-pattern>/app/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <role-name>bla</role-name>
                 <role-name>fahsel</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>Subscription</web-resource-name>
                 <url-pattern>*.jnlp</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>whatever-realm</realm-name>
       </login-config>
       <security-role><role-name>bla</role-name></security-role>
       <security-role><role-name>fahsel</role-name></security-role>
  ...Than you may use the Service stuff like:
       BasicService bs = (BasicService)ServiceManager.lookup("javax.jnlp.BasicService");
       URL codeBase = bs.getCodeBase();
       URL pu = new URL(codeBase.toString() + "whatever.bla");
       HttpURLConnection res = (HttpURLConnection) pu.openConnection();
       res.setInstanceFollowRedirects(true);
       res.setRequestMethod("GET");
       res.setConnectTimeout(10 * 60 * 1000);
       res.connect();
       String enc = res.getContentType();
  ...Where is the problem? If you wanna intercept certain "calls" to an app resource, just use a filter, which decides, whether to answer the request directly by itself or to pass it to the JnlpDownloadServlet ...

• Get current password in a basic authentication JSP

  Hello.
  I've written some JSP pages and I've protected them with BASIC authentication.
  I'd like to get the password that the user used to log in, because I need to execute a EJB method running on other server and this EJB method is also protected.
  Thanks in advance for your help
  Kind regards.

  I've just resolved it!
  Password comes in the request instance as "authorization" header coded in Base64.
  Only had to retrieve the header and decode it.