jQuery in Action, 2nd edition*
The moose likes Tomcat and the fly likes basic authentication for web service not working for UserDataBaseRealm in tomcat 6 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "basic authentication for web service not working for UserDataBaseRealm in tomcat 6" Watch "basic authentication for web service not working for UserDataBaseRealm in tomcat 6" New topic
Author

basic authentication for web service not working for UserDataBaseRealm in tomcat 6

anirban ghosh
Greenhorn

Joined: Jun 02, 2013
Posts: 2
i am using UserDataBaseRealm to perform basic authentication in tomcat 6.
basically my app is a copy of the example provided in http://www.mkyong.com with heading Container Authentication with JAX-WS – (Tomcat version) .
however my app fails to authenticate even when i provide the correct user name and password as i get the authentication screen for accessing my service URL from browser
strangely however when i use a client to call the service it does not authenticate at all no matter what ever i put as user name and password in the client it always succeeds in calling the service.

below is my web.xml , tomcat-users.xml and sun-jaxws.xml

here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<listener>
<listener-class>
com.sun.xml.ws.transport.http.servlet.WSServletContextListener
</listener-class>
</listener>
<servlet>
<servlet-name>user</servlet-name>
<servlet-class>
com.sun.xml.ws.transport.http.servlet.WSServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

<security-role>
<description>Normal operator user</description>
<role-name>operator</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>Operator Roles Security</web-resource-name>
<url-pattern>/user</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>operator</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Basic Authentication</realm-name>
</login-config>

<servlet-mapping>
<servlet-name>user</servlet-name>
<url-pattern>/user</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
</web-app>

here is my tomcat-users.xml

<tomcat-users>
<role rolename="tomcat"/>
<role rolename="operator"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="mkyong" password="mkyong" roles="operator"/>
<user name="admin" password="admin" roles="manager-gui"/>
</tomcat-users>

here is my sun-jaxws.xml

<?xml version="1.0" encoding="UTF-8"?>
<endpoints
xmlns="http://java.sun.com/xml/ns/jax-ws/ri/runtime"
version="2.0">
<endpoint
name="User"
implementation="com.mkyong.ws.UserProfileImpl"
url-pattern="/user"/>
</endpoints>

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15952
    
  19

Welcome to the JavaRanch, Anirban! Sorry about the delay.

You can make sample code and XML (pre-formatted text) easier to read if you use the "Code" button in our editor to wrap your text with code tags.

In order to use a Tomcat security Realm, you have to tell the webapp which Realm (if any) you are going to use. That has to be done either in a context XML for the webapp itself or in server.xml in cases where more than one webapp may be operating in the same Realm (such as the Tomcat Manager and Tomcat Admin webapps).

There is a sample UserDataBaseRealm definition in the server.xml that comes with Tomcat, but it is commented out, and therefore not active. You have to uncomment it to use it.


Customer surveys are for companies who didn't pay proper attention to begin with.
anirban ghosh
Greenhorn

Joined: Jun 02, 2013
Posts: 2
Ok I found it the problem lies with running the application from eclipse.
With my previous configuration the authentication works when I export my app as war from eclipse and directly deploy it in the webapps folder of tomcat.
Then run the tomcat using startup batch file.
Now there is another problem.
I am providing my service code for reference





Here is the client



The authentication works fine at wsdl access level.That is without proper authentication the application cannot access the wsdl url.
But the method level authentication is not working.
Passing any user and password I can call the service operation.

The web.xml is:

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15952
    
  19

Web Services security is a problem in its own right, and not specifically just for Tomcat.

Tomcat, like any J2EE-compliant container provides container-based authentication and authorization based on the URL received, but using this feature with web services has problems.

For one thing, web services are not normally made interactively, so if you put a URL security pattern on the web service call and the server returns a login page, the client probably won't know what to do with it.

For another, the URL security patterns are not a very fine-grained mechanism. So while I do recommend them as a "brute force" first line of defense for most cases, there are often times when you need an additional layer that's more finely in touch with the actual functionality of the resources that the URL is addressing.

There are some books on web services security, although I'm not the person who can recommend ones that are good and up-to-date.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41096
    
  44
You really shouldn't use servlet security with web services; that's what WS-Security is for, which is supported by all major SOAP stacks.


Ping & DNS - my free Android networking tools app
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: basic authentication for web service not working for UserDataBaseRealm in tomcat 6
 
Similar Threads
Unable to access the servlet even on entering username/password set in tomcat-users.xml
username and password are not getting verified by tomcat
Problem with security constraints while doing authentication & authorization
Can't get past BASIC authentication
web security not working as expected,