This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes BEA/Weblogic and the fly likes WebLogic is intercepting credentials passed to webservice Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » BEA/Weblogic
Bookmark "WebLogic is intercepting credentials passed to webservice" Watch "WebLogic is intercepting credentials passed to webservice" New topic
Author

WebLogic is intercepting credentials passed to webservice

Dorte Skriver
Greenhorn

Joined: May 27, 2008
Posts: 7
Hi all - hope someone can help me.

I have deployed a webservice with a custom AuthenticationHandler:


When I deploy it on resin or WebSphere, everythings works fine, but when I deploy it on WebLogic, I always get a (401)Authorization Required.

WebLogic somehow "bypasses" my custom authentication implementation, when I provide credentials.

If I don't provide any credentials, I actually hit my custom authentication handler, but if i do provide credentials, it seems that WebLogic intercepts the call and tries to authenticate the provided user, which fails (as it should), and my implementation is never called.

So basically my question is: how do I stop WebLogic from trying to "take over" authentication ??

Sincerly,
Dorique
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

Can you provide some more details. Is the URL that you are trying to hit protected by WL for some reason ? Do you have a URL pattern mapping that is protected by a security role ?


SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Dorte Skriver
Greenhorn

Joined: May 27, 2008
Posts: 7
All security is default, i.e. only DD (and there is no security conf in web.xml), no url-mappings or anything.
Only the default "myrealm" security realm.

Roger Brillant
Greenhorn

Joined: Dec 14, 2011
Posts: 1
(I know this is a somewhat aging thread but in case this is of use to anyone else...)

If your custom authentication is using HTTP basic authentication, this is most likely your problem:

The default behavior of Weblogic is to intercept HTTP basic authentication headers and handle them itself, even if no security is configured for the application. To switch this behavior off, add this line

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

in the <security-configuration> section of the config.xml file for your Weblogic domain.

Ref: http://www.weblogicspecialist.com/sites/weblogicspecialist.nsf/docs/Setting%20the%20enforce-valid-basic-auth-credentials%20Flag
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: WebLogic is intercepting credentials passed to webservice
 
Similar Threads
beanMapping, typeMapping in Axis 1 (1.4) in server-config.wsdd generates complexType in wsdl
Doubt on AXIS Handlers
Custom Authentication in Axis1.4
digest authentication on client side implementation.
WSS4J problem in Axis