File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes digest authentication on client side implementation. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "digest authentication on client side implementation." Watch "digest authentication on client side implementation." New topic
Author

digest authentication on client side implementation.

vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
Hi
My project has webservices that are using digest authentication. I am trying to modify client implementation(JAX-RPC) to include unsername and password. i am using axis 1. i got how to include basic authentication from here . but not able to find one for digest authentication. webservices work fine using soap UI using username and password. if anyone has implemented digest authentication on client side, can you please help me in modifying client code, or appreciate if you can point me to sources.
thanks


SCJP 1.4, SCWCD 1.5
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Does the servlet container you're using to run Axis even support digest authentication?
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
we are using spring framework. and in securityPolicy.xml , configuration to use digest authentication has been set in this way.


Should I check any where else to know that it supports digest authentication?

vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
I can run this webservice from SOAP UI. by giving username and password credentials. there is an option to select wss-passowrd Type. I chose password digest option. here is request soap message generated.



here is java client which should be modified for adding digest authentication.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
So you're not talking about HTTP Digest Authentication, you're talking about a WS-Security Username token that has been digested. That works in an entirely different way, and will not be easy to add to your client (particularly since it uses the JAX-RPC API, which is obsolete).

Which SOAP stack are you using on the client side?
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
that's right Ulf. It is not http digest authentication rather i need to send soap headers with this authentication details.
i see axis and saaj on client side.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Looking at your code, I think it's more likely that it's using JAX-RPC (which you mentioned in the first post) than SAAJ. Thus you'd be using Axis 1 (and not Axis 2, which does not support JAX-RPC). Luckily for you, someone has written up how to secure an Axis 1-based web service - I did! :-) Read it, work through the examples, see how they might apply to your code, and come back with questions if something doesn't make sense.
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
hi Ulf
a client deployment descriptor, which tells WSS4J how to handle security for the request on the client: client_deploy_sec.wsdd


this is given as one of the steps. how do i find for this file. i searched workspace for any file with wsdd extension and found none.
can you elaborate a bit on this. like what other elements will it have.
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
hi ulf


here in deployment descriptor you are giving user name value. i get username in client. so i will not know before hand what values to set in deployment descriptor. i donot need to check whether this user is valid or not on client side, server side web service takes care of that. i found a way to access headers in client.

so should i try to set soap headers such that it looks similar to soap request generated by SOAP UI?

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
this is given as one of the steps. how do i find for this file.

The download that comes with the article has that, and everything else you need to get the examples running (except for Axis itself and WSS4J - just follow the links in the articles).
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
Hi
I am following source code that you gave. According to that sample code, i am writing deploy.wsdd file. it requires class name of webservice. How do you find class name of webservice from wsdl? here is my wsdd.

I need to replace samples.stock.StockQuoteService with my web service class name. I have wsdl.


I am trying to secure auctionItems operation.


May I know how to find associated webservice class. I am really new to webservice. If this doubt is really simple, please suggest some tutorials such that i can get this information.
thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
That sounds a bit odd. Are you starting out with a WSDL before you have the web service itself? That's a scenario I've never worked in, so I can't help with that. I've always started with the service, and then the SOAP implementation (Axis in this case) generates the WSDL from that.

But as regards the class name: you can choose whichever one you want, since the class name is not part of the WSDL.
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
hi Ulf,
I have web service already. and stubs are generated using wsdl2java. but while running them , it requires digest authentication because on server side web service requires username and password. so I am modifying client implementation such that it sends username and password details in soap:header .
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
I followed steps for configuring client in http://ws.apache.org/wss4j/axis.html

1. add client_deploy.wsdd to client side code.

2. added PWCallBackClient

3a. In Fetcher class which calls stubs generated by wsdl2Java, i did pass username and password.


3b. added client_deploy file programatically by placing it in same directory as other class files.


When I run fetcher class, it is not able to find client_deploy.wsdd file using FileProvider.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
As to #3a, you don't need that. Those passwords are for HTTP authentication, not for WS-Security authentication. The password gets sets by the code in #2.

As to#3b, try an absolute path.
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
hi Ulf,
I changed it to absolute path. It is getting deployment element of wsdd. however i am getting this exception.
. I have downloaded wss4j-1.5.7.jar and kept it in lib folder. am i supposed to get any other libraries?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
I have downloaded wss4j-1.5.7.jar and kept it in lib folder. am i supposed to get any other libraries?

Yes, you need the "other jars" that can be downloaded in the same place as WSS4J itself.
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
I added xmlsec.jar and the control is going to PWCallbackClient . I observed that callbacks[] is picking username from client_deploy.wsdd. but i can't make list of all valid users in wsdd. so how would i just pass in these username and password wihtout actually checking against callbacks[] array.
here is my PWCallbackClient for reference.
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
I tried taking off username field from wsdd and it gives an exception saying that it is a mandatory field. Is there any work around such that i donot have to hard code usernames here in wsdd?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
I observed that callbacks[] is picking username from client_deploy.wsdd.

I've no idea what you mean by this - the username is not part of any WSDD file; what are you referring to?

You need to alter the Java code so it accesses your user repository (maybe LDAP or a DB) and retrieves a list of the allowed users and their passwords, and then checks those against the username sent by the client in "pc.getIdentifer()".
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
Hi Ulf
I am referring to username given in wsdd configuration. Please have a look at my client_deploy.wsdd below. i highlighted user element.



Webservice authentication check is done on serverside(called webservice). I am trying to access that webservice by writing client implementation. Since webservice requires username and password to be sent using digest, I am trying to send those username and password values in soap header. i came across this article. followed steps given there for "Configuring the Client". My requirement is to be able to access a webservice which requires username and password being sent using digest authentication. I will have username and password being passed and available in my client application. But i donot have access to LDAP in which i can validate whether this username is valid or not in my client application.

vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
Hi Ulf,

Here is how soap request is sent using client_deploy.wsdd and PWCallBackClient.


username being sent is same as user given in client_deply.wsdd.

I am able to call webservice if i give username in client_deploy.wsdd. but i will not know before hand about all users.username and password are being passed from JavaFx front end.

I tried to follow alternate step given here.
Another way to do this is to have the client application set the username and CallbackHandler implementation programmatically instead of client_deploy.wsdd:

...
import org.apache.axis.client.Stub;
...

Remote remote = locator.getPort(StockQuoteService.class);
Stub axisPort = (Stub)remote;
axisPort._setProperty(UsernameToken.PASSWORD_TYPE, WSConstants.PASSWORD_DIGEST);
axisPort._setProperty(WSHandlerConstants.USER, "wss4j");
axisPort._setProperty(WSHandlerConstants.PW_CALLBACK_REF, pwCallback);


but it is still calling pwCallBack.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Ah, you're talking about the client now, not the server. This thread talks about two different approaches you could take, one using an OutflowConfiguration object, and one using a policy based configuration.
vani venkat
Ranch Hand

Joined: Nov 21, 2006
Posts: 142
Hi Ulf
I did go through tutorial. according to what i understood, even the server side configuration need to use policy based configuration. that is, i should change web services(server side) athentication as well?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Not sure, I haven't used policy-based security. I guess if you check out the Rampart policy sample mentioned in that thread, it should become clear what's involved.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: digest authentication on client side implementation.