Problems using the ServletSecurityProvider to do Basic Authentication

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems using the ServletSecurityProvider to do Basic Authentication

Clement Lyons
Hi All

I'am running an Axis (1.2RC3) Web Service on a Tomcat (4.1.31)
I'am having problems getting Basic Authentication working using the
ServletSecurityProvider and the SimpleAuthenticationHandler.

This is my configuration:

In the Axis web.xml:
  <servlet>
    <servlet-name>AxisServlet</servlet-name>
    <display-name>Apache-Axis Servlet</display-name>
    <servlet-class>
        org.apache.axis.transport.http.AxisServlet
    </servlet-class>
    <init-param>
      <param-name>use-servlet-security</param-name>
      <param-value>1</param-value>
    </init-param>
  </servlet>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Web Services Basic Authentication</realm-name>
  </login-config>                                            

In the server-config.wsdd
  <requestFlow name="checks">
   <handler
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
  </requestFlow>
  <parameter name="allowedRoles" value="test"/>

In tomcat-users.xml
<tomcat-users>
  <role rolename="test"/>
  <user username="test" password="test" roles="test"/>
</tomcat-users>

This setup was previously discussed here
http://marc.theaimsgroup.com/?l=axis-user&m=104403054218784&w=2 quite a
while back.

I add the username and password in the client and using TCPMON can see
that it is being sent in the HTTP Headers.

I've also added logging to the SimpleAuthenticationHandler and can see
that the username/password is received correctly and that the security
provider used is
org.apache.axis.security.servlet.ServletSecurityProvider

Should the allowedRoles specified in the server-config.wsdd be a user or
role in the tomcat-users.xml.

Any pointers or help would be much appreciated.

Clement
Reply | Threaded
Open this post in threaded view
|

RE: Problems using the ServletSecurityProvider to do Basic Authentication

Clement Lyons
With trace logging turned on I get the following:

- Enter: SimpleAuthenticationHandler::invoke
- provider.getClass : class
org.apache.axis.security.servlet.ServletSecurityProvider
- org.apache.axis.i18n.resource::handleGetObject(user00)
- User:  preselect
- org.apache.axis.i18n.resource::handleGetObject(user00)
- User:  preselect
- org.apache.axis.i18n.resource::handleGetObject(password00)
- Password:  preselect
- org.apache.axis.i18n.resource::handleGetObject(password00)
- Password:  preselect
- org.apache.axis.i18n.resource::handleGetObject(got00)
- Got HttpServletRequest
- org.apache.axis.i18n.resource::handleGetObject(noPrincipal00)
- No principal!
- org.apache.axis.i18n.resource::handleGetObject(cantAuth01)
- Enter: SOAPPart ctor(FORM_FAULT)
- org.apache.axis.i18n.resource::handleGetObject(setMsgForm)
- Setting current message form to: FORM_FAULT (currentMessage is now
org.apache.axis.AxisFault)

What is the principal, am I stilling missing some configuration.
Is this meaningful to anybody.

Clement


-----Original Message-----
From: Clement Lyons
Sent: Tuesday, 10 May 2005 4:44 PM
To: [hidden email]
Subject: Problems using the ServletSecurityProvider to do Basic
Authentication


Hi All

I'am running an Axis (1.2RC3) Web Service on a Tomcat (4.1.31) I'am
having problems getting Basic Authentication working using the
ServletSecurityProvider and the SimpleAuthenticationHandler.

This is my configuration:

In the Axis web.xml:
  <servlet>
    <servlet-name>AxisServlet</servlet-name>
    <display-name>Apache-Axis Servlet</display-name>
    <servlet-class>
        org.apache.axis.transport.http.AxisServlet
    </servlet-class>
    <init-param>
      <param-name>use-servlet-security</param-name>
      <param-value>1</param-value>
    </init-param>
  </servlet>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Web Services Basic Authentication</realm-name>
  </login-config>                                            

In the server-config.wsdd
  <requestFlow name="checks">
   <handler
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
  </requestFlow>
  <parameter name="allowedRoles" value="test"/>

In tomcat-users.xml
<tomcat-users>
  <role rolename="test"/>
  <user username="test" password="test" roles="test"/> </tomcat-users>

This setup was previously discussed here
http://marc.theaimsgroup.com/?l=axis-user&m=104403054218784&w=2 quite a
while back.

I add the username and password in the client and using TCPMON can see
that it is being sent in the HTTP Headers.

I've also added logging to the SimpleAuthenticationHandler and can see
that the username/password is received correctly and that the security
provider used is
org.apache.axis.security.servlet.ServletSecurityProvider

Should the allowedRoles specified in the server-config.wsdd be a user or
role in the tomcat-users.xml.

Any pointers or help would be much appreciated.

Clement