File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes New article: Web Services Authentication with Axis 2 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "New article: Web Services Authentication with Axis 2" Watch "New article: Web Services Authentication with Axis 2" New topic
Author

New article: Web Services Authentication with Axis 2

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
The current issue of the JavaRanch Journal has an article by -ahem- your truely about Web Services Authentication with Axis 2. You can check it out here, and if you have comments or question, feel free to post them in this thread.


Ping & DNS - my free Android networking tools app
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
Very nice and useful article Ulf.
I was looking for such one.
Regards
Balaji


Spritle Software Blogs
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Firstly: I hate the name Axis2. Axis2 1.3 is as bad as Java2 1.5, stupid marketing.

I had a similar discussion a while ago on just this topic, and the suggestion I was given was almost exactly the same: use the inflow/outflow model to parse the security header and NOT to include the security in the WSDL definition.

Why are you using the OutflowSecurity rather than InflowSecurity?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
Why are you using the OutflowSecurity rather than InflowSecurity?[/QB]


I'm generally more concerned with having the client properly authenticate itself to the server, rather than the other way around. The assumption is that this is a publicly accessible service, and that it is the client that is inherently untrusted, not the server. (If encryption was used, one would want to apply it both ways.)
rajini kriya
Greenhorn

Joined: Sep 10, 2007
Posts: 8
this information is very useful because i need to put the same soap request for accessing web serivce (Timestamping, Authentication, Encryption and Signature)i generated the client code using RAD and in the web services web browser i got methods for accessing web services but when i invoke the methods i am gettingg exception in the results page.so i need to set the username and password using (Timestamping, Authentication, Encryption and Signature) apache axies run time environment i dont know how to write the client for settting the username and password how i get these type of soap request and response if i get these type of soap request i may get the soap response (result).can you please help m in this one.

thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
Originally posted by rajini kriya:
so i need to set the username and password using (Timestamping, Authentication, Encryption and Signature)

The article shows how to set username and password using WS-Security with Axis. That has nothing to do with timestamps, encryption or signing, though.
Harjit Singh
Ranch Hand

Joined: Feb 01, 2007
Posts: 77
I tried copying the file rampart1.1 in to the modules directory and I'm seeing it being listed under Faulty Modules. Does anybody see the same error ?

Thanks

- Harjit
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
Originally posted by Harjit Singh:
I tried copying the file rampart1.1 in to the modules directory and I'm seeing it being listed under Faulty Modules.


Which Axis version are you using? Rampart 1.1 is meant for Axis2 1.1. If you're using Axis2 1.2 or 1.3, you should download the Rampart version that goes with those. Look for "Modules" on the download page.
Harjit Singh
Ranch Hand

Joined: Feb 01, 2007
Posts: 77
I have AXIS 1.3 Here is the output from the HappyAxis.jsp

Found Axis2 default Version service and Axis2 is working properly.
Now you can drop a service archive in axis2/WEB-INF/services. Following output was produced while invoking Axis2 version service

Hello I am Axis2 version service , My version is 1.3

I tried and copied rampart1.3 .mar and still the same issue.

- Harjit
Aoife Power
Greenhorn

Joined: Oct 08, 2007
Posts: 1
Hi,

I am having a similar issue with rampart1.3 and axis2 version 1.3.

Axis2 reports no errors on the HappyAxis page, however, when checking if rampart is loaded correctly only rahas shows under the available modules. rampart-1.3 is listed under the faulty modules section.

Did you have any luck in discovering what the issue is?

Thanks for any help.
Aoife.

Originally posted by Harjit Singh:
I have AXIS 1.3 Here is the output from the HappyAxis.jsp

Found Axis2 default Version service and Axis2 is working properly.
Now you can drop a service archive in axis2/WEB-INF/services. Following output was produced while invoking Axis2 version service

Hello I am Axis2 version service , My version is 1.3

I tried and copied rampart1.3 .mar and still the same issue.

- Harjit
johnxyz smithxyz
Greenhorn

Joined: Oct 16, 2007
Posts: 1
Place those MAR files (rampart, rahas and addressing) on the same class path of axis2 jar files on the client side and then the client side code would work correctly. I just tested it with the version of Axis2 1.3.

Make the server side run with rampart is less painful but it is not headache free.

Go with Apache CXF as it is such a good experience to feel it yourself.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
I just noticed that the article only mentions that rampart.mar should be copied to the Axis WEB-INF/lib directory. In fact, the addressing.mar file also needs to be copied. I've changed the article accordingly.
Madalina Mutihac
Greenhorn

Joined: Mar 03, 2008
Posts: 7
Hey, I had the same problem when trying to put rampart to work with Tomcat. The solution that worked for me was to copy the jars in the rampart lib directory to the ...\apache-tomcat-6.0.16\webapps\axis2\WEB-INF\lib\ folder as well and restart Tomcat.
Madalina Mutihac
Greenhorn

Joined: Mar 03, 2008
Posts: 7
I've a problem, tried running the example in this article and after setting everything up ok, I get the following error:

WSDoAllReceiver: Incoming message does not contain required Security header
in TCPMonitor...as I am pretty new to web services and Axis2 especially, I would really need some help with this.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
WSDoAllReceiver: Incoming message does not contain required Security header in TCPMonitor...


Does TCPMonitor show that those headers are present? The article describes how they look like.

How are you running the example?
Harshad Khasnis
Ranch Hand

Joined: Jun 06, 2006
Posts: 48
Hi Ulf,
Nice article.

I have one issue - I am using an .Net webservice.
It uses NTLM authentication.
Can you please guid me how i can use Axis2 to authenticate against this web service.

Regards
Harry
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
I am using an .Net webservice. It uses NTLM authentication.
Can you please guid me how i can use Axis2 to authenticate against this web service.

Neither Axis nor WS-Security support NTLM, so you will need to roll your own. If you're writing a Java client, have a look at the HttpClient library; it supports NTLM authentication. That doesn't help much with sending XML, though. You'll need to generate the SOAP programmatically, and then hand that to HttpClient to send. Not particularly hard to do, but kind of a hack.

WS-Security is the way to go for this kind of authentication.
Peer Reynders
Bartender

Joined: Aug 19, 2005
Posts: 2922
    
    5
How to configure Axis2 to support Basic, NTLM and Proxy authentication?

Basic,Digest and NTLM Authentication

org.apache.axis2.transport.http.HttpTransportProperties.Authenticator


Originally posted by Ulf Dittmer:
WS-Security is the way to go for this kind of authentication.


If you can get the publishers of the web service to see the (interoperability) errors in their ways ...
[ March 04, 2008: Message edited by: Peer Reynders ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64

I stand corrected. I completely missed that Axis 2 can do this now. But it seems that this is about the server side; can it be used in a similar way for the client side?
Peer Reynders
Bartender

Joined: Aug 19, 2005
Posts: 2922
    
    5
HttpClient supports three different types of http authentication schemes: Basic, Digest and NTLM. ... NTLM is the most complex of the authentication protocols supported by HttpClient. ... These differences are generally handled by HttpClient...


The use of the Commons HttpClient made me assume that they are talking about the client side Axis2 libraries. I certainly wouldn't expect the server side to implement NTLM authentication.
[ March 04, 2008: Message edited by: Peer Reynders ]
Hikari Shidou
Ranch Hand

Joined: Jan 22, 2013
Posts: 88
Very good articles Ulf!

Only you was able to make me understand WS-Security

But I feel WSS isn't worth at all. As I can understand it uses either plaintext password or encrypts it.

For plaintext there's no security, and a simple parameter inside operations could pass username and password from client to server.

And for encryption, it's very interesting that we can use our own extended class to handle it. But syncronous encryption is useless for general client use, because if the key is stolen it will be used to steal password.

And if we use asynchronous encryption, we already have HTTPS, which is simpler and doesn't create complexity for neither the SOAP server or the client. The advantage would be that only password is being encrypted and not the whole message, but Axis2 adds around 4-6 milisecs of overhead, so I think HTTPS overhead wouldn't be so expensive in this context, with the advantage of having whole message protected.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42276
    
  64
The password isn't sent encrypted, it's sent hashed, and that is handled by the WS engine - so there is no need to for a pre-shared password of some kind. It seems that you're mixing up the handling of the password for WS Authentication with the handling of keys for WS Encryption.

HTTPS works on the transport level, rather than the message level. For many deployment scenarios that may be sufficient, but for some it isn't. It's also only applicable for HTTP communication (which admittedly covers the vast number of SOAP calls, but not all).
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: New article: Web Services Authentication with Axis 2