Meaningless Drivel is fun!*
The moose likes Web Services and the fly likes passing password credential from one application server to another Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "passing password credential from one application server to another" Watch "passing password credential from one application server to another" New topic
Author

passing password credential from one application server to another

sandhya mridul
Greenhorn

Joined: Apr 12, 2006
Posts: 10
Hello,

Has anybody faced this issue of passing credentials from one application server(say X) to another (say Y)? There is an application on server X which makes a web service call to the other (Y). The X application needs to send username and password information to Y to create a login context on Y.
Thanks in advance....
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41052
    
  43
WSS4J (on ws.apache.org) is the standard Java implementation of the WS-Security standard, which specifies how usernames and passwords are used with WS.

If you're not actually talking about passwords for WS, but using WS for transporting passwords for other purposes, then the best option probably is to treat the usernames/passwords as regular strings of data, and to encrypt them in transit.


Ping & DNS - my free Android networking tools app
sandhya mridul
Greenhorn

Joined: Apr 12, 2006
Posts: 10
thanks for your reply. Yes i mean transporting the username/password for retrieving data filtered on the username. I am using weblogic as the client for the web service call. Yes the password will be passed as data string, but I don't want to hardcode the password value. Is there a way in which the weblogic api allows users to retrieve it at runtime?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41052
    
  43
I don't understand what you mean by "hardcoding". The string would be a regular parameter (although encrypted), and its value could/would change for every invocation of the WS.

I also don't understand what this means: "Is there a way in which the weblogic api allows users to retrieve it at runtime?" WL is the WS client, so it doesn't retrieve the username at runtime, it sets it.

Maybe you can describe in more detail how the process should work.
sandhya mridul
Greenhorn

Joined: Apr 12, 2006
Posts: 10
its like this..
a secured jsp page is submitted to a servlet. We make a webservice call from weblogic to another application server. Now this call needs to pass username/pasword to the other application server.
Since we are using basic authentication for the WL application, WL wil have retrieve the username/password and set it in the WS call. We are not able to figure out how to retrive username/password using WL APIs, so we are setting them explicitly, ie. harcoding them.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41052
    
  43
OK, you want to pass the username/password used for accessing the web app on the first app server to be passed on as part of the WS call to the second app server.

You can use the HttpServletRequest.getRemoteUser and getPrincipal methods to determine which user is currently accessing the system. Then you can use that username to retrieve the password from whichever repository the WL server uses to authenticate users.
sandhya mridul
Greenhorn

Joined: Apr 12, 2006
Posts: 10
we have been trying apis in the weblogic.security and related packages, but are not able to hit on anything. We find that the credentials are either hashed or encrypted internally by WL. Can you help us on this? Thanks for your replies...
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41052
    
  43
Are you saying that you tried both getRemoteUser and getPrincipal, and that neither of them returned a cleartext username? That would be a violation of the Servlet API, so I think you might be doing something wrong.

Where (e.g., database, LDAP, ...) does WL look for its username/password information? You should be able to access that user directory by some other means to get at the password (of course, the password might be hashed in that directory, in which case you won't be able to get at it in cleartext). But since the user is authenticated already, wouldn't it be sufficient to just pass along the username?
sandhya mridul
Greenhorn

Joined: Apr 12, 2006
Posts: 10
getPrincipal() does return a cleartext username, but the password is not in clear text. Actually, no authentication on the other end should be required, but the java proxy that is generated from the wsdl (the web service is on the other application server), does not give me an api to pass only the username. It either takes no arguments or both username and password.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41052
    
  43
Then you should look into the second part of my previous post - either retrieve the password from the repository, if feasible, or have the provider of the WS add a method call that takes just a username.
 
 
subject: passing password credential from one application server to another
 
Similar Threads
Question from the EJB 3 specs
Connecting to Database server
Possible to add new custom header
are EJBs portable?
Passing objects by reference or value???