Using HTTP basic auth in WebService

Hi,
I am writing a flex app that needs to talk to a pre-existing
SOAP web service. Unfortunately the web service uses http basic
auth to authenticate a user. I am trying to figure out exactly how
this is accomplished but I cannot find any substantive data on the
subject. So I was hoping someone here could point me in the right
direction or possibly answer the question outright.
I DID find reference to using the useProxy attribute on the
WebService element (and that I would need to make some changes to a
flex-config.xml) but I could not get this to work, nor could I find
any explanation as to what exactly I was doing. I, as a workaround,
attempted to place the auth info in the url (e.g.
http://user:passwordhash@host:port/wsdl)
but this did not work either as the request never made it to the
server, I am assuming actionscript doesn't like this format?
Anyway, does anyone have any advice/pointers? Any help would
be appreciated.

Similar Messages

RemoteObject and http basic auth

Hello,
I am writing an AIR application and I have a RemoteObject
that has an endpoint secured using http basic auth. Whenever I try
to send the RemoteObject request, a username/password window is
displayed to the user. How do I automatically send the
username/password? Using setCredentials or setRemoteCredentials
doesn't seem to affect this - looking at the data sent, the
RemoteObject is not sending a http Authorisation header.
Is this possible?

Hello,
Sorry for "waking up" this old message, but I have exactly the same probem and I can't find a solution.
I know how to send Authorization in the HTTP headers with a HTTPService, but not with a RemoteObject.
Do you know that, or have any other solution for the problem ?
Etienne

HTTP Basic Auth and Username Authentication with Symmetric Key

Hi,
I have a webservice happily running on tomcat 5.5 using "Username Authentication with Symmetric Key" I have certificates setup and everything works fine. I can even connect a .net client and use the service.
Now I have an additional requirement of authorization per operation basis so I'm planning on using the roles. My current setup uses tomcat-users.xml to configure users but I seem unable to identify the role of the user from within my code as wsContext.isUserInRole("briefing") always returns false even when it clearly isn't. Where wsContext = @Resource private WebServiceContext wsContext.
So I figure perhaps I need to add HTTP Basic Auth to tomcat for it to gather this information so I added security-constraints to the web.xml and this seems to do the trick: at least it does for my .net client.
If I do:
Service service = new Service();
Port client = service.getPort();
BindingProvider bp = (BindingProvider)client;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "myusername");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "mypassword");Then it all works fine. However, I'd like a little less transparency: I don't want to have to do this every time I make a call.
My question(s) is:
1) Am I going about this the right way (perhaps I am somehow getting the incorrect reference to the WebServiceContext)
2) If I am going about this the right way I imagine the whole BindingProvider code needs to be added to as a policy configuration but I'm really not sure where to start especially as I'm using wsimport to generate everything: I'm not even sure where to configure this so it will not get overwritter.
Thanks for any help.

Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
All in all does this setup sound right?

BPEL not passing HTTP basic auth info

The BPEL control does not seem to pass the HTTP basic auth data correctly.
I placed the right credentials in the httpUsername and httpPassword properties for the partner link.
I patched SOA Suite to 10.1.3.3.1 to try to solve this problem. But it still comes up with the same result.
Any help would be greatly appreciated!

Steps for invoking secure web services from BPEL================================================
Add following lines in target wsdl(webservice)
Add xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" in the namespaces section (ensure that "ns4" is not already being used!)
Add xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" in the "schema" element
Import the namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and provide a schemaLocation (physical file in the current directory)
Add the following in the "message" element for the input message type:
<s1:part name="secHeader" element="ns4:Security"/>
Add <s3:header message="__relevant_message_name__" part="secHeader" use="literal"/> within <input> element (<binding>..<operation>)
then in BPEL before invoke activity take one assign activity
in assain activity xml expression to securerity variable in target variable
<oas:Security xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<oas:UsernameToken wsu:Id="UsernameToken-15799662" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<oas:Username>username</oas:Username>
<oas:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</oas:Password>
</oas:UsernameToken>
</oas:Security>
import xsds into local workspace
oasis-200401-wss-wssecurity-secext-1.0.xsd
oasis-200401-wss-wssecurity-utility-1.0.xsd
xml.xsd
xmldsig-core-schema.xsd

JDev3: http basic auth

Can the web-to-go(?) httpd in JDev3 be configured to support http basic auth? How do I configure it to setup my realms? thnx.

Please note that I am able to do some basic programmatic configuration of the JDev3 httpd , such as doing:
oracle.jdeveloper.debugger.ServletDebugger dbg = new oracle.jdeveloper.debugger.ServletDebugger();
dbg.setRootDir("D:/JDev3/");
But I have been unsuccessful in other tasks
such as:
dbg.setDocumentRootDir("D:/myDir");
dbg.setServerPort("9090");
Compiler tells me these two methods are not supported by class oracle.jdeveloper.debugger.ServletDebugger
Info on how to configure the JDev3 httpd for - the doc root
-listen port,
- and realms for http basic auth
would be greatly appreciated. If correct documentation exists please point me to them (the JDev3 Help documentation contains erroneous information on some of these topics). thnx

Get authenticated user name (HTTP basic auth)

Hi.
How can I get the authenticated user name from a BPEL process when the service is protected with HTTP basic auth?
I'm running SOA Suite 11.1.1.5.
Thanks in advance.
Mick

Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
All in all does this setup sound right?

Web Services with HTTP Basic Auth

Hi,
I am having a problem connecting to web services which
require HTTP Basic Authentication from a Flex application. I have
useProxy set to true and call setRemoteCredentials prior to
attempting the call, but the credentials do not appear to be set on
the request (the request fails with fault.faultString = "HTTP
request error", faultCode = "Server.Error.Request". The messages on
the server indicate that the user name and password were not
specified.
I do have the proxy-config.xml file set up properly (I think
-- I followed the example in the mx.rpc.soap.mxml.WebService class
description, at least).
I can verify that the WSDL (which doesn't require BASIC auth
to access) is being loaded properly, but when I make the request,
it fails. Is this a known problem?
I am using Flex Builder 2.0.1 to build my SWF files.
Thanks,
Brendan

Thanks for the pointer, I did try it, but it didn't help.
As I said in the original post, the problem is with HTTP
Basic Authentication, so adding a header for WSSE to the service
request didn't help. It needs to be an HTTP Authorization header,
not a SOAP Security header.
Brnedan

HTTP Basic Auth and Proxy Auth

Hi,
i have a problem with the authentication against a proxy server and against a content provider. At first I have to authenticate against the proxy to get "free internet". The next step is to authenticate against the content provider to get a html or xml file.
The following source code runs very good in Eclipse, i.e. as JUnitTest. But If I execute the same code within a weblogic server, I will get an error (not authenticated). I believe I get this message from the content provider and not from the proxy because If I test this code within the weblogic server and with no authentication (i.e. google needs no authentication), I will get a valide xml/html file.
StringBuffer sb = new StringBuffer();
          SimpleAuthenticator simple = new SimpleAuthenticator("joeuser","a.b.C.D"); //from openbook
          Authenticator.setDefault(simple);
          String strUrl = "http://www.rahul.net/joeuser/";
          URL url = null;
          try {
               url = new URL(strUrl);
          } catch (MalformedURLException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          URLConnection conn = null;
          InetSocketAddress addr = new InetSocketAddress("proxy.domain",8080);
          Proxy proxy = new Proxy(Proxy.Type.HTTP, addr);
          try {
               conn = url.openConnection(proxy);
          } catch (IOException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          String proxyStr = "username" + ":" + "passwordl";
          String encoded = new String(Base64.encodeBase64(proxyStr.getBytes()));
          conn.setRequestProperty("Proxy-Authorization", "Basic " + encoded);
          // get http status code which is located in header field 0
          String status = conn.getHeaderField(0);
          if (status.contains("200")) {
               BufferedReader in = null;
               try {
                    in = new BufferedReader(new InputStreamReader(conn.getInputStream(),
                              "ISO-8859-1"));
                    String inputLine;
                    while ((inputLine = in.readLine()) != null) {
                         sb.append(inputLine);
                    in.close();
               } catch (UnsupportedEncodingException e) {
                    // TODO Auto-generated catch block
                    e.printStackTrace();
               } catch (IOException e) {
                    // TODO Auto-generated catch block
                    e.printStackTrace();
          else {
               System.out.println("Error");
          System.out.println(sb.toString());
public class SimpleAuthenticator
extends Authenticator
     private String username,
     password;
     public SimpleAuthenticator(String username,String password)
          this.username = username;
          this.password = password;
     protected PasswordAuthentication getPasswordAuthentication()
          return new PasswordAuthentication(
                    username,password.toCharArray());
Does somebody know a solution? I need the authentication against proxy and content provider in "one application".
Thank you very much,
André

I typically have used Apache Commons HttpClient for anything but trivial URL connections, and especially when combining both basic auth and proxy auth. When you use it, be aware of the "preemptive authentication" flag. One server I worked with didn't send the correct parameters back on particular requests, so I had to turn on this flag to get it to work.

Forms based authentication + Basic authentication = no way to use the basic auth!!!!

Hi,
I setup a test sharepoint site, claims mode, with both the forms and basic authentication enabled.
I expect to see the page asking me which authentication method I want to use, but I never see this page!!!
I have to select the windows authentication (NTLM or Kerberos) to see this page!
why using only the Basic authentication did not prompt the user?
and how to be authenticated using the basic authentication rather than the forms auth when both are enable for the same site?
>I do NOT want to extend my site to have 2 zones... my question is ONLY with 1 zone configured.

What is the business purpose for using Basic Auth over NTLM/Kerberos?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Portal SRA and HTTP Basic Auth

hi all
i know that there is a LDAP attribute to store information for BASIC AUTHENTICATION : "sunPortalGatewayWWWAuthorization"
i would like to do some batch process, mapping user in IIS server to JES.
the problem is data in sunPortalGatewayWWWAuthorization attribute encrypted and i don't know what mechanism is used.
Please help me to find out what method is been used
or is there any tools to do encrypt?
many thanks in advance

Hello,
Sorry for "waking up" this old message, but I have exactly the same probem and I can't find a solution.
I know how to send Authorization in the HTTP headers with a HTTPService, but not with a RemoteObject.
Do you know that, or have any other solution for the problem ?
Etienne

Basic auth with RESTful WEb service and Web Service reference

Hi, All,
We have made much progress on getting an application working wtih RESTful web services but now are trying to figure out how to lock down a RESTful Web service while making it available for a particular application.
We are using one of the sample 'emp' table web services that come with Apex 4.2 and are trying to apply Basic Auth to the WEb Service via Weblogic filter defined in the web.xml file. That works fine. I now get challenged when I try to go to :
https://wlogic.edu/apex/bnr/ace/hr/empinfo/
And when I authenticate to that challenge I am able to get the data. (we are usiing LDAP authentication at the Weblogic level)
However, I am not sure how to get same basic authentication to work with the Web Service reference in my application. I see the error message in the application when I try to call that Web Service:
401--Unauthorized<
And I see:
"The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials"
How do I provide the credentials in the Web REference or do I provide credentials in the Application?
Web service works fine if I remove the RESTful web service basic auth from the Web.xml file.
Should we NOT use Weblogic basic auth and instead use basic auth from Workspace RESTful web service definition. If so, how do we implement THAT basic auth in the Web Service definition and in the Web SErvice Reference on the application?
Thanks,
Pat

What I mean is diid you try to use the PL/SQL package for APEX webservice. Here is an example I use (modified and shortened, just to show how much better this is than to use it from the application).
CREATE OR REPLACE PACKAGE webservice_pkg
IS
 PROCEDURE create_webservice (
 p_id IN NUMBER,
 p_message OUT VARCHAR2,
 p_workspace IN VARCHAR2 DEFAULT 'MY_WORKSPACE',
 p_app_id IN NUMBER DEFAULT v ('APP_ID'),
 p_app_session IN VARCHAR2 DEFAULT v ('SESSION'),
 p_app_user IN VARCHAR2 DEFAULT v ('APP_USER')
END webservice_pkg;
CREATE OR REPLACE PACKAGE BODY webservice_pkg
IS
 PROCEDURE set_credentials (
 p_workspace IN VARCHAR2,
 p_app_id IN NUMBER,
 p_app_session IN VARCHAR2,
 p_app_user IN VARCHAR2
 IS
 v_workspace_id NUMBER;
 BEGIN
 SELECT workspace_id
 INTO v_workspace_id
 FROM apex_workspaces
 WHERE workspace = p_workspace;
 apex_util.set_security_group_id (v_workspace_id);
 apex_application.g_flow_id := p_app_id;
 apex_application.g_instance := p_app_session;
 apex_application.g_user := p_app_user;
 END set_credentials;
 PROCEDURE create_webservice (
 p_id IN NUMBER,
 p_message OUT VARCHAR2,
 p_workspace IN VARCHAR2 DEFAULT 'MY_WORKSPACE',
 p_app_id IN NUMBER DEFAULT v ('APP_ID'),
 p_app_session IN VARCHAR2 DEFAULT v ('SESSION'),
 p_app_user IN VARCHAR2 DEFAULT v ('APP_USER')
 IS
 v_envelope VARCHAR2 (32000);
 v_server VARCHAR2 (400);
 v_url VARCHAR2 (4000);
 v_result_url VARCHAR2 (1000);
 v_collection_name VARCHAR2 (40) := 'PDF_CARD';
 v_message VARCHAR2 (4000);
 v_xmltype001 XMLTYPE;
 BEGIN
 v_url := v_server || '.myserver.net/services/VisitCardCreator?wsdl';
 FOR c IN (SELECT *
 FROM DUAL)
 LOOP
 v_envelope :=
 '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" '
 || 'xmlns:bran="http://www.myaddress.com">'
 || CHR (10)
 || '<soapenv:Header/><soapenv:Body>'
 || CHR (10)
 || '<parameter:'
 || 'some_value'
 || '>'
 || CHR (10)
 || '<bran:templateID>'
 || p_id
 || '</bran:templateID>'
 || '</soapenv:Body>'
 || CHR (10)
 || '</soapenv:Envelope>';
 END LOOP;
 set_credentials (p_workspace, p_app_id, p_app_session, p_app_user);
 BEGIN
 apex_web_service.make_request
 (p_url => v_url,
 p_collection_name => v_collection_name,
 p_envelope => v_envelope
 p_message := 'Some message.';
 EXCEPTION
 WHEN OTHERS
 THEN
 v_message :=
 v_message
 || ''
 || 'Error running Webservice Request. '
 || SQLERRM;
 END;
 BEGIN
 SELECT v_result_url
 || EXTRACTVALUE (VALUE (t),
 '/*/' || 'Return',
 'xmlns="http://www.myaddress.com"'
 xmltype001
 INTO v_result_url,
 v_xmltype001
 FROM wwv_flow_collections c,
 TABLE
 (XMLSEQUENCE (EXTRACT (c.xmltype001,
 '//' || 'Response',
 'xmlns="http://www.myaddress.com"'
 ) t
 WHERE c.collection_name = v_collection_name;
 EXCEPTION
 WHEN OTHERS
 THEN
 v_message := v_message || '' || 'Error reading Collection.';
 END;
 EXCEPTION
 WHEN OTHERS
 THEN
 p_message := v_message || '' || SQLERRM;
 END create_webservice;
END webservice_pkg;
/If you use it this way, you will find out what the problem is much faster.
Denes Kubicek
http://deneskubicek.blogspot.com/
http://www.apress.com/9781430235125
http://apex.oracle.com/pls/apex/f?p=31517:1
http://www.amazon.de/Oracle-APEX-XE-Praxis/dp/3826655494
-------------------------------------------------------------------

Securing Web Applications by HTTP Basic Authentication

We are working on providing security for web applications in Webdynpro.We downloaded the material from net regarding this.In that it was mentioned to open the webdynpro project's web.xml file in the Netweaver Developer Studio.In the material,we are asked to click the General TAb and check "Login Configuration".But there is no such checkbox in our general tab screen.Also many tabs are missing like Context,Resources,mapping,Environment,EJB's,Web objects.How to enable/display these tabs?Is there any means of setting properties in the server to get these tabs?
regards,
J.Iswaryal
K.Brinda

Hi J.Iswaryal,
I guess two things based on your post.
1. You have created one wer service and you want to make secure this web service using HTTP basic authentication.
2. You have such wweb service and you want to consume this web service lets say in webdynpro application.
For, point one,
After creating web service goto webservice perspective in NWDS. there, choose your web service project.
Now, open Web service configuration file recided in your project.
Here, go under config1-> security and double click on it.
It will display security options for this web service.
Choose transport protocol as HTTP, Authentication mechanism as HTTP authentication and choose Basic radio button.
Now, save this, rebuild this and deploy on server.
For point 2,
Make model for your web service.
before calling your web service, set your username and password in code as shown below.
wdContext.current<web service model node>element().modelobject()._setusername(<username>);
wdContext.current<web service model node>element().modelobject()._setPassword(<password>);
Rehards,
Bhavik

Basic Auth with WebView

Hello everyone,
we have integrated some JavaFX components within a swing application recently. One of the components that we have decided to add is a WebView component that should access an html page with the account settings of the logged in user.
However, this page has restricted access with HTTP Basic Auth type of authorization and for this reason the WebView gets the 401 HTTP error.
Is it possible to perform the HTTP Basic Auth programmatically (by setting username and password) with the WebView?
Thanks in advance for your help,
LM

I have solved by using java.net.Authenticator

UDDI inquiry service HTTP-Basic authentication in BPEL (10.1.3.1)

Hi Gurus,
I'd like to know how we can setup BPEL server for Oracle Service Registry UDDI with HTTP-BASIC authentication for inquiry service (apart of OWSM solution)?
Imagine that in Service Registry I have defined HTTP-BASIC authentication (REGISTRY_HOME/app/uddi/services/Wasp-inf/package.xml) for inquiry service used in BPEL domain (uddiLocation key in BPEL domain configuration). And now I'd like to provide credentials. In package.xml I have this
<service-endpoint path="/inquiry" version="3.0" name="UDDIInquiryV3Endpoint"
service-instance="tns:UDDIInquiryV3" processing="tns:UDDIv1v2v3InquiryProcessing"
accepting-security-providers="HttpBasic">
<wsdl uri="uddi_api_v3.wsdl" service="uddi_api_v3:UDDI_Inquiry_SoapService"/>
<envelopePrefix xmlns="arbitraryNamespace" value=""/>
<namespaceOptimization xmlns="arbitraryNamespace">false</namespaceOptimization>
</service-endpoint>
I don't see any field with username or password. Is it automaticaly taken from security provider configured for Service Registry (for example LDAP)? If yes then it is clear.
But what about BPEL engine, where can I provide those credentials? Is it some secret configuration file? Or only supported way is to configure it through OWSM component in order to enrich request by credentials (what about license, when customer doesn't want to use OWSM)?
Do I miss something in this concept?
Thanks
Peter

as said internally - file an ER for it pls - and I will take care of it, depending on the demand - either for 10.1.3.1 GA or 10.1.3.1 patchset ..
we will support only HTTP Basic Auth - rest will follow per customer demand ..
/clemens

Login via Basic Auth popup

Hi, i have sap fiori running and i need GBAPP_PRAPPROVAL service to display basic authentication prompt.
Currently i have configured global settings to use the class CL_SRA_LOGIN.
I modified the system logon on the Error Page tab and i am able to display the login page that says "via popup" in the textboxes and then click to show the popup but i don't want the page to appear at all, i want only the http basic auth popup directly when you access the url of the service. How can i achieve this?
Thanks!
Andres

Could you please paste a screenshot about what would you like to achieve?

Using HTTP basic auth in WebService

Similar Messages

Maybe you are looking for