Password protecting a web service

Similar Messages

• Passing User-Password - while invoking web service

  Hello Gurus,
  I am calling a web-service in that[i] Authentication is required..... If i am invoking through browser ,,,, I can pass User name and password....
  But i am calling from Plain Java class.... How should i pass authentication parameter

  Hi Suresh & Mukesh,
  Suresh:
  I started the service by going through the following path System Administrator > System Configuration > Service Configuration > Application > <SERVICE_NAME> in system configuration of portal
  Mukesh: Here I don't have any proxy settings.
  Can you please let me know where I'm going wrong.
  Thanx,
  Dheeram

• Can't access password protected .Mac Web Gallery

  Safari is my primary browser. I have been creating web galleries using iLife '08 and my .Mac account and then viewing them with Safari for the past month or so with no trouble. This weekend I tried creating a password protected web gallery and it won't load in Safari. The gear icon just spins forever and has timed out when I have left it alone long enough. My other web galleries continue to load just fine. Clicking on the link from within iPhoto for my password protected gallery doesn't work, typing the url into Safari doesn't work, going to my gallery index and clicking on the icon of the "locked" gallery doesn't work, etc. I can still view all of my other web galleries, but this one that I'm trying to protect just won't load.
  This actually appears to be a Safari problem. I don't get a dialog asking for User Name and Password. The url works just fine using Firefox on my Mac, and it also works on a PC running Windows XP. When using something other than Safari, I get the prompt for User Name and Password that I would expect. Upon entering that information, everything looks normal and works just fine.
  Tsk tsk Apple! Safari shouldn't be having trouble displaying protected .Mac web galleries. Sheesh!

  Just wanted to let you know that I have the EXACT SAME problem, except it is affecting my password protected iWeb site and my Gallery. I can view it from Firefox, so that is the web browser I am using now. I sent a bug report to Apple, and I also send them a request for help using e-mail, but so far I have gotten no response. Hopefully someone is working on the fix?

• Protecting a Web service in XI 7.0

  Hello Experts,
  The developers have asked my help to disable access through plain http to a web service...
  In theory, ssl is already enabled. As I'm able to access XI through the browser using https (the certificate is self-signed, but that shouldn't be a problem).
  The Sender Channel is set as HTTPS with client autentication. We've defined the web service and we are able to use it with plain http.
  All the documentation I have found throughout the web is to seal the whole xi with ssl, but we want to secure just one web service.
  any help?
  Cheers,
  Thiago Delou
  Basis Team

  I dont think SSL for a service means enabling HTTPS access of the server. For enabling one service to use SSL, you have get a certificate from a CA, import it in to PI Java/ABAP stacks. Then configure in the ABAP stack for the plain http adapter (you might have to create a new one by copying the default HTTP adapter on the ABAP stack).
  Not absolutely sure though. Just some info..!!
  VJ

• How to pass username/password to BPEL web service from java proxy?

  Hi all,
  Environment : SOA Suite 11g
  I am using basic http authentication in my SOA services using "oracle/wss_http_token_client_policy" policy. Now i need to invoke these SOA web services from a java proxy.
  Please let me know how this can be done.
  Thanks in advance

  Have you tried the below posts ?
  BPEL to invoke Webservice secured with HTTP Basic authentication
  Invoke a BPEL process using HTTP Basic Authentication
  http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm#CHDBAHBI
  Thanks,
  Vijay

• Password protecting a web folder with .htaccess

  I'm trying to set up .htaccess for a folder on my website. I've created the .htpasswd file (on the volume root folder) and the .htacess file in the folder I'm trying to protect. I've turned on Allow All Overrides in Server Admin Web>Options. But so far I'm not getting a dialog box asking for a password.
  The contents of the .htpasswd are:
  kcpcu:$........
  The contents of the .htaccess file are:
  AuthUserFile /.htaccess
  AuthType Basic
  AuthName "KCPCU"
  Require valid-user
  I'm at a loss on what to do to get this working. Any ideas?
  Thanks!

  Make a backup copy of your 'httpd.conf' file. Then find the line that says:
      AllowOverride None
  And change it to:
      AllowOverride AuthConfig
  If you are using virtual domains you will have to edit the virtualhosts '.conf' file and add these lines:
      <Directory /docroot/www.yourdomain.tld/html>
          Options Indexes FollowSymLinks
          AllowOverride AuthConfig
      </Directory>
  check the owner and permissions on the .htaccess file. Set the permissions on the .htaccess file:
  chmod 644 /path/to/.htaccess
  and
  chown www:www /path/to/.htaccess
  There's no need to place the password file in a directory of the top level of the volume. It can exist in /etc/httpd or one directory up from the webserver document root directory. Just make sure the permissions are set to '644'.

• Site Password - Protection from Web Crawlers?

  Hello!
  I tried looking online but I couldn't find a quick and confirmed answer. Maybe you folks can help:
  If I set a password for my iWeb site, which is published to my MobileMe account, will its content be protected from search engines (Google, Bing, ..).
  I want to make sure that whatever I put on that website remains private and only those with the username/password can access it.
  Much appreciated!

  It should do. If Google does not know that your site exists, then there is nothing to crawl or find.

• LV2012 Web Services w/ NI Auth login not working w/ static files in Firefox 19

  Hi!
  I followed this procedure to password protect my web service and the static files. 
  http://digital.ni.com/public.nsf/allkb/DF41D5DA8EEB4840862577D90058C208
  When testing it out with my web service it seems to work fine on any web browser.  http://localhost:8080/add/add/1/2 first will present a login.  Once the user is logged in the page refreshes and the results of the operation are shown.  http://localhost:8080/logout works as well.
  I followed the procedure in the FAQ to include an index.html file.
  http://www.ni.com/white-paper/7747/en#toc15
  When I try to access the page (via http:localhost:8080/add/web/index.html) I'm greeted with the National Instruments login screen.  I enter my credentials and in Chrome and Internet Explorer the screen refreshes and I see my html file.  In Firefox it hangs for awhile on the authentication screen and then reloads back to the authenticaiton screen (as if the username and password did not take).
  Attached are my files.  If you want to try and recreate this please follow this procedure:
  * Unzip the attached project to a folder
  * Open the project in LabVIEW 2012
  * Check the properties of the web service to ensure that the build paths are correct
  * Follow the procedure above for setting up NI Auth on your web service and adding the "testpermission2" permission.  Be sure to remove "Everyone" from that "testpermission2" or you will never see a login prompt.
  * Build/Deploy the web service
  * open http://localhost:8080/logout to ensure that you are not currently authenticated
  * open http://localhost:8080/add/add/1/2 and login, observe behavior
  * open http://localhost:8080/add/web/index.html you should still be logged in so you will see the "Hello World!" just fine
  * open http://localhost:8080/logout to log back out
  * open http://localhost:8080/add/web/index.html and see if you are able to login.
  I've tried disabelling my plugins in Firefox and still have this problem.  I'm really scratching my head on how to overcome this other than throwing away NI Auth and use something else.  My web service is going to run off of a static front end driven by javascript and html.  So the access point will be the html file.  I need to have some username and password scheme worked out.  I also need to be able to see what user is currently logged in with my Web Service VIs (does anyone know if that is possible with NI Auth)? 
  The other BIG issue I have with NI Auth is that it requires Silverlight.  So much for mobile support, eh?  Anyone know of a good plug-and-play alternative so I don't have to reinvent the wheel?  I guess I could impliment some kind of token system on my web service side.
  In the meantime, getting NI Auth to properly work with Firefox would help.
  Thanks for your input,
  -Nic
  Attachments:
  Example Web Service.zip ‏15 KB

  Disclaimer: I in no way mean to bash NI and I have used NI Auth myself in the past
  If you are going to go to the trouble of abstracting NI Auth, I would recommend instead investing your time in your own authentication scheme (or implementing a standard scheme in LV).
  NI Auth is great and works for low security applications where you just don't want people fooling around with your application who shouldn't be.
  However, NI Auth is really not that secure.  If I remember correctly, the username is transmitted in plain text and I don't think the encryption algorithm is that sophisticated.  It is nice that it's already integrated into LV, but there really are very few features at this time.
  If you want something to be really secure, you need to take measures beyond what NI Auth provides and before you go to the work of building abstraction on top of a basic and somewhat shaky protocol, I'd seriously consider implementing a more stable base.
  <insert 2 cents complete>
  Chris
  Certified LabVIEW Architect
  Certified TestStand Architect

• How-to access username and password protected Java EE Web services from ADF

  The title of this post is exactly the same as this article by Frank Nimphius:
  http://www.oracle.com/technology/products/jdev/howtos/1013/protectedws/access_protected_web_services_from_adf.htm
  The article addresses the problem of securing web services using usernames and passwords, when those web services are accessed through a proxy or a data control. In the examples, the user names and passwords are specified, whether in the code or the definition of data controls. (SKING/SKING).
  In a very common scenario, users login to reach a page, for example, A.jspx, which contains a button that calls a web service, for example displayDate. Suppose that user has logged in by username/pass of (AHUNOLD/AHUNOLD) and AHUNOLD has access to the service and the page. Is there any way to pass the logged in user name and password to the webservice ? Of course we can hard-code the username in the data control definition or proxy code, but this is just one of the thousands of users who have access to the service and the authentication is not dynamic this way.
  Hope my question is clear. Wishing you all a great Christmas.
  Farbod

  Hi Frank, and happy new year.
  Are you implying that it couldn't be done declaratively? What is your suggestion for this problem? You know the problem... As I described:
  - I need to secure my web services, so when exposed, no one from inside network or the internet, can access the web service without proper permission
  - The web services are shown as web controls on jspx pages. The user has logged in before reaching the page. It is irrelevant to ask him to enter user name and password again.
  - I have user names, passwords and roles in Oracle Internet Directory (Identity Management). It provides some APIs and I can retrieve the usernames and attempt logging in programmically. But how can I get username and password from the session in ADF application?
  I guess using SAML or certificate could be the solution, but I have a problem with SAML, described here:
  Re: Webservices Security, SAML, and Identity Management (OID)
  Best Regards,
  Farbod

• Web service functions in SSO without username and password

  Is there a way to use the Public Report Web Service functions when configured in SSO and without passing a username and password? I was able to try out the web service and make it work. As we all know, you need to pass a username and password for each web service call unless your reports can be accessed by guests. In an SSO + LDAP server configuration, there are cases in which you are not allowed to get the password. The password can not be decrypted.
  Is there a way to still use web service? or do you need to use the url approach instead? But if you use the url approach then you may be limited to generating reports only.
  I'm thinking there should be since if you are already logged in for SSO then you should be able to generate.
  Any way to configure this?

  <i>When I access web reports from bw.</i>
  i hope you are not talking about BEX web reports , since you have mentioned ITS.
  Is it a standlone ITS or intergrated ITS?
  can you post the url pattern here.
  Regards
  Raja

• Apache web directory password protection

  Hello all,
  I seem to be having a problem password protecting a web directory. I have my .htpasswd file and all of my directory info set up in my httpd.conf file but when I go to this directory via the web, I get prompted for a username and password but when I enter my username and the password that is in my .htpasswd file, it simply keeps prompting me for my password as if the user or the password is incorrect. Can anyone give me any hints as to how I can fix this?

  lovell,
  hi. glad you got it working. as for setting the permissions...
  for our server, which is FreeBSD but essentially no different, i setup basic auth directories as follows:
  username = My Admin User in all cases. I am assuming that www is the owner:group of the server process.
  I chown -R the directory to username:www. I then set the permissions on the directory to 0750 which allows rwx for the user and r-x for the group. the execute bit should be set on the directory to allow traversal by the webserver.
  as for the files in the directory, the chown -R of the directory should set all content ownership to username:www. Then I chmod all contents to 0640. this allows the owner to read and write and the webserver to read only. this does not allow any permission for folks outside of the owner or members of the www group (e.g. via terminal or ssh).
  now, the auth method of the webserver should be able to determine who has read access to the files. in your case, this is for the user 'lmcilwain'. e.g. only the user entering the proper credentials into the authorization box should be able to view the files (at least through their browser).
  remember, too, that basic auth passes passwords in plain-text, so if bad people want to intercept your password and username, they can do this if they really want to.
  that being said, basic auth is ok for things like pdf documents and whatnot. i wouldn't put anything terribly important in a directory 'protected' by basic auth, however.
  cheers,
  b
  some macs, some bsds, some tuxs   Mac OS X (10.4.4)  

• Pass ODI User/Password To Web Services

  Hi Experts,
  If we use 11g ODI WebService to invoke an ODI scenario, what's the best practice to pass in the ODI username/password to the web services client, in a passwd ecypted format?
  Thanks for your input.

  The answer to this question was to use another function exposed by the Directory Management Web services, {domain}/soap/services/DirectoryManagerService?WSDL&lc_version=9.0.1.
  The function in question is called updateLocalUser().
  You can find more information here, http://help.adobe.com/en_US/livecycle/9.0/programLC/javadoc/com/adobe/idp/um/api/Directory Manager.html#updateLocalUser%28com.adobe.idp.um.api.infomodel.User,%20java.lang.String%29.

• Web Services - Username / password

  Hi,
  I was just playing around with web-services and wanted to create a simple web-service where a client will send a username/password to a web-service running on a local Tomcat server (port 8080). In response, the service will return a "hello <username>" and display a password valid message on the client side. I am writing both the client code as well as the server code using the Java/axis classes. I have the following code so far .. please let me know if I have done it correctly and how do I proceed with writing the service-code?
  //the client that sends a username and requests a webService
  import org.apache.axis.client.Call;
  import org.apache.axis.client.Service;
  public class ClientDOC
       public static void main(String args[])
            try
                 String sEndpoint = "http://localhost:8080/axis/services/RPCuser";
                 String sOperationName = "HelloUser";
                 String sUserName = String.parseString(arg[0]);
                 String sPassword = String.parseString(arg[1]);
                 //making connection
                 Service userNameService = new Service();
                 Call SOAP_call = new Call(userNameService.createCall());
                 SOAP_call.setTargetEndPointAddress(new java.net.URL(sEndpoint));
                 SOAP_call.setUsername(sUserName);
                 SOAP_call.setPassword(sPassword);
                 SOAP_call.setOperationName(new java.lang.string(sOperationName));
                 System.out.println("Calling HelloUser Service");
                 System.out.println(call.invoke(new Object[]{} );
            catch (Exception e)
                 System.err.println(e.toString());
  Web-Service
  ~~~~~~~~~~
  package services.RPCuser;
  public class ServiceRPC
       public String HelloUser(void)
            try
                 String sMsg = null;
                 //TODO? How do get the Username and Password parameter
                 String sUserName = ;
                 String sPassword = ;
                 if (sPassword == "pass")
                      sMsg = "Hello "+sUserName;
                 else
                      sMsg = "Invalid Password";
            catch (Exception e)
                 System.err.println(e.toString());
  }

  <S12:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu= "...">
  <S12:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:Username>TestUser</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">TestPassword</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </S12:Header>
  </S12:Envelope>

• How to prevent downloading wsdl in weblogic web service client

  Hi,
  I get a problem regarding weblogic web service client. My working environment:
  weblogic server 8.1
  Windows XP SP2
  JDK 1.4
  I use the weblogic tool to generate the client jar file from the wsdl file.
       <target name="generate-client">
            <clientgen wsdl="ACCESS.wsdl"
                 packageName="xxxxxx.client"
                 clientJar="${client}/${AccessClient_jar_file}"
                 keepGenerated="true"
                 saveWSDL="true"
            />
            <javac srcdir="${source}"
            destdir="${client}"
            includes="**/AccessClient.java">
            <classpath>
            <pathelement path="${client}/${AccessClient_jar_file}"/>
            </classpath>
            </javac>
       </target>
  After that, I create a client java file to invoke the service deploy in the server.
  public static void main(String[] argv)
  throws Exception
       int transactionId = 100;
       int id = 1000;
  // Setup the global JAXM message factory
  System.setProperty("javax.xml.soap.MessageFactory", "weblogic.webservice.core.soap.MessageFactoryImpl");
  // Setup the global JAX-RPC service factory
  System.setProperty( "javax.xml.rpc.ServiceFactory", "weblogic.webservice.core.rpc.ServiceFactoryImpl");
  AccessServicePorts ws = new AccessServicePorts_Impl(argv[0]);
  AccessService port = ws.getAccessService();
  // Resource - create
  Resource resource = new Resource();
  resource.setRES_CD("Create ResCo");
  resource.setCODE_CODE("code_cod");
  resource.setRES_TYPE("Resource typ");
  resource.setCOMMON_FIELD(common);
  AccessDefaultResult resultItems = port.createResource(resource);
  System.out.println("createResource : " + resultItems);
  I find that this web service client always issue 2 http requests to invoke an web service method deployed in server.
  1st http reqeust:
  GET /AccessEpol/EpolServiceSoap?WSDL HTTP/1.1
  User-Agent: Java/1.4.2_08
  Host: 127.0.0.1:8001
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive
  the return result is the wsdl downloaded from the server.
  2nd http request is the real web service request.
  The question is how could I eliminate the 1st http request because it's really unnecessary. I use other web service client like Axis 1.x, Axis client never has the http request to download the wsdl from the server.
  I read through weblogic web service document. It do mentions that put saveWSDL="true" in the clientgen ant task. the default value for saveWSDL is true already. I did try saveWSDL="false" also. None of them can eliminate the 1st http request.
  appreciate for any answer my question?

  Hi David,
  thanks for the reply.
  More or less I agree some points you mentioned above.
  I did use Axis 1.x to test the inter-operability. The web service was developed in Weblogic 8.1 and is a part of an existing web application. It will be merged to existing application deployed in weblogic 8.1.
  I also program the web service client to test the web service.
  The implementation of the server and client will be handed over the project team and training for supporting or continuous development have to be conducted by me. So I don't like to use two types of technologies which will make thing complex.
  I found this issue when I tried to protected the web service endpoint, eg http://localhost:7001/epol/service, using the web application Basic mechanism. The wsdl URL http://localhost:7001/epol/service?WSDL is also protected in this case. Unfortunately the username/password pair is not sent to the server when the weblogic client download the WSDL from the server. In this case, the client failed and throw exception.

• Web services security

  I want a JAX-Ws web service deployed in weblogic that does userid/password authentication. It would be nice if Oracle could provide a good working example of this.
  I tried the following so far:
  1. I tried on the web service samples: under wlserver_10.3/samples/server/examples/src/examples/webservices/security_jws. I built and deployed the service successfully to WSL 10.3.0. I used the test Java client and it seems to work. Then I tried connecting to the web service using SOAP UI client. SOAP UI was able to call the web service operation without being prompted for id or password.
  2. I tried the steps under Security->Authentication->Basic Authentication section of this document:
  http://e-docs.bea.com/workshop/docs81/doc/en/core/. I setup a security-constraint (to protect the web service url context), login-config, security-role and then in weblogic.xml I mapped the role to the 'users' role in weblogic server. It does not work. SOAP UI was able to invoke the operation without being prompted.
  Another interesting thing I found was that on the client side if I use code like this:
  BindingProvider bindingProvider = (BindingProvider) port;
  Map<String, Object> reqContext = bindingProvider.getRequestContext();
  reqContext.put(BindingProvider.USERNAME_PROPERTY, "weblogic");
  reqContext.put(BindingProvider.PASSWORD_PROPERTY, "xxxxxx");
  and supply the wrong password, client connection fails. However if I take out both user name and password properties, the client connection works!!!
  Please provide good working example of some of these simple cases. May be on your new sample code website (www.samplecode.oracle.com). Thanks.

  One item 1 in my post above, I was wrong about SOAP UI when connecting to the example in wlserver_10.3/samples/server/examples/src/examples/webservices/security_jws folder. A client connection from SOAP UI is indeed refused by the server due to lack of security headers. So that's good.
  However, I changed the security_jws example ant build file and added the parameter type="JAXWS" to the jwsc task as well as clientgen task. I got the following error.
  BUILD FAILED
  C:\Oracle\Middleware\wlserver_10.3\samples\server\examples\src\examples\webservices\security_jws\build.xml:48: weblogic.
  wsee.tools.WsBuildException: JWS Validation failed: [The WebLogic Server 9.x-style policy is not supported in JAX-WS web
  services., The WebLogic Server 9.x-style policy is not supported in JAX-WS web services., The WebLogic Server 9.x-style
  policy is not supported in JAX-WS web services., The annotation weblogic.jws.WLHttpTransport is not allowed on examples
  .webservices.security_jws.SecureHelloWorldImpl because it is a JAX-WS type web service., The WebLogic Server 9.x-style p
  olicy is not supported in JAX-WS web services., The WebLogic Server 9.x-style policy is not supported in JAX-WS web serv
  ices., The WebLogic Server 9.x-style policy is not supported in JAX-WS web services., The annotation weblogic.jws.WLHttp
  Transport is not allowed on examples.webservices.security_jws.SecureHelloWorldImpl because it is a JAX-WS type web servi
  ce.]
  Total time: 2 seconds
  What is recommended way to do secure a jax-ws web service in Weblogic 10.3.0 or 10.3.1? Do these Weblogic versions support WSIT (https://wsit.dev.java.net/)? Please provide an example.