i am using UserDataBaseRealm to perform basic authentication in tomcat 6.
basically my app is a copy of the example provided in http://www.mkyong.com with heading Container Authentication with JAX-WS – (Tomcat version) .
however my app fails to authenticate even when i provide the correct user name and password as i get the authentication screen for accessing my service URL from browser
strangely however when i use a client to call the service it does not authenticate at all no matter what ever i put as user name and password in the client it always succeeds in calling the service.
below is my web.xml , tomcat-users.xml and sun-jaxws.xml
here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
Welcome to the JavaRanch, Anirban! Sorry about the delay.
You can make sample code and XML (pre-formatted text) easier to read if you use the "Code" button in our editor to wrap your text with code tags.
In order to use a Tomcat security Realm, you have to tell the webapp which Realm (if any) you are going to use. That has to be done either in a context XML for the webapp itself or in server.xml in cases where more than one webapp may be operating in the same Realm (such as the Tomcat Manager and Tomcat Admin webapps).
There is a sample UserDataBaseRealm definition in the server.xml that comes with Tomcat, but it is commented out, and therefore not active. You have to uncomment it to use it.
An IDE is no substitute for an Intelligent Developer.
Joined: Jun 02, 2013
Ok I found it the problem lies with running the application from eclipse.
With my previous configuration the authentication works when I export my app as war from eclipse and directly deploy it in the webapps folder of tomcat.
Then run the tomcat using startup batch file.
Now there is another problem.
I am providing my service code for reference
Here is the client
The authentication works fine at wsdl access level.That is without proper authentication the application cannot access the wsdl url.
But the method level authentication is not working.
Passing any user and password I can call the service operation.
Web Services security is a problem in its own right, and not specifically just for Tomcat.
Tomcat, like any J2EE-compliant container provides container-based authentication and authorization based on the URL received, but using this feature with web services has problems.
For one thing, web services are not normally made interactively, so if you put a URL security pattern on the web service call and the server returns a login page, the client probably won't know what to do with it.
For another, the URL security patterns are not a very fine-grained mechanism. So while I do recommend them as a "brute force" first line of defense for most cases, there are often times when you need an additional layer that's more finely in touch with the actual functionality of the resources that the URL is addressing.
There are some books on web services security, although I'm not the person who can recommend ones that are good and up-to-date.