Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

basic authentication for web service not working for UserDataBaseRealm in tomcat 6

 
anirban ghosh
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i am using UserDataBaseRealm to perform basic authentication in tomcat 6.
basically my app is a copy of the example provided in http://www.mkyong.com with heading Container Authentication with JAX-WS – (Tomcat version) .
however my app fails to authenticate even when i provide the correct user name and password as i get the authentication screen for accessing my service URL from browser
strangely however when i use a client to call the service it does not authenticate at all no matter what ever i put as user name and password in the client it always succeeds in calling the service.

below is my web.xml , tomcat-users.xml and sun-jaxws.xml

here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<listener>
<listener-class>
com.sun.xml.ws.transport.http.servlet.WSServletContextListener
</listener-class>
</listener>
<servlet>
<servlet-name>user</servlet-name>
<servlet-class>
com.sun.xml.ws.transport.http.servlet.WSServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

<security-role>
<description>Normal operator user</description>
<role-name>operator</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>Operator Roles Security</web-resource-name>
<url-pattern>/user</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>operator</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Basic Authentication</realm-name>
</login-config>

<servlet-mapping>
<servlet-name>user</servlet-name>
<url-pattern>/user</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
</web-app>

here is my tomcat-users.xml

<tomcat-users>
<role rolename="tomcat"/>
<role rolename="operator"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="mkyong" password="mkyong" roles="operator"/>
<user name="admin" password="admin" roles="manager-gui"/>
</tomcat-users>

here is my sun-jaxws.xml

<?xml version="1.0" encoding="UTF-8"?>
<endpoints
xmlns="http://java.sun.com/xml/ns/jax-ws/ri/runtime"
version="2.0">
<endpoint
name="User"
implementation="com.mkyong.ws.UserProfileImpl"
url-pattern="/user"/>
</endpoints>

 
Tim Holloway
Saloon Keeper
Pie
Posts: 18020
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Anirban! Sorry about the delay.

You can make sample code and XML (pre-formatted text) easier to read if you use the "Code" button in our editor to wrap your text with code tags.

In order to use a Tomcat security Realm, you have to tell the webapp which Realm (if any) you are going to use. That has to be done either in a context XML for the webapp itself or in server.xml in cases where more than one webapp may be operating in the same Realm (such as the Tomcat Manager and Tomcat Admin webapps).

There is a sample UserDataBaseRealm definition in the server.xml that comes with Tomcat, but it is commented out, and therefore not active. You have to uncomment it to use it.
 
anirban ghosh
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok I found it the problem lies with running the application from eclipse.
With my previous configuration the authentication works when I export my app as war from eclipse and directly deploy it in the webapps folder of tomcat.
Then run the tomcat using startup batch file.
Now there is another problem.
I am providing my service code for reference





Here is the client



The authentication works fine at wsdl access level.That is without proper authentication the application cannot access the wsdl url.
But the method level authentication is not working.
Passing any user and password I can call the service operation.

The web.xml is:

 
Tim Holloway
Saloon Keeper
Pie
Posts: 18020
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Web Services security is a problem in its own right, and not specifically just for Tomcat.

Tomcat, like any J2EE-compliant container provides container-based authentication and authorization based on the URL received, but using this feature with web services has problems.

For one thing, web services are not normally made interactively, so if you put a URL security pattern on the web service call and the server returns a login page, the client probably won't know what to do with it.

For another, the URL security patterns are not a very fine-grained mechanism. So while I do recommend them as a "brute force" first line of defense for most cases, there are often times when you need an additional layer that's more finely in touch with the actual functionality of the resources that the URL is addressing.

There are some books on web services security, although I'm not the person who can recommend ones that are good and up-to-date.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You really shouldn't use servlet security with web services; that's what WS-Security is for, which is supported by all major SOAP stacks.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic