Re: Authenticating users

[Michael Rudolf]

And another question on this one...my passwords in the LDAP dir are 
encrypted as they are migrated from a UNIX passwd file. The Callback 
Class actually expects me to set the password. How did you do the actual 
authentication then? Can i read the pass in cleartext? I need a 
cleartext pass later in the process for an ssh connection. Any ideas on 
how to do this?

the handler for exracting the login name?  that's basically the code i
included below to extract from the incoming message, then create the user
object, hit the LDAP server (through JNDI api) and then store (actually in a
thread-local so even non-Axis code can get the current user).  the rest is to
include it thus in your server-config.wsdd:
 <service name="FreezerWS" provider="java:RPC" style="document" use="literal">
   <!-- WS-Security handlers -->
   <requestFlow>
     <!-- the header that carries the user's login-name -->
     <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
       <parameter name="action"                value="UsernameToken"/>
       <parameter name="actor"                 value="loginName"/>
       <parameter name="passwordCallbackClass" value="ServerSidePWCallback"/>
     </handler>

     <!-- add a handler that populates the session given the user's
login-name -->
     <handler
type="java:com.amgen.seattle.appdev.freezer.webservice.server.WSLoginNameHandler">
       <!-- the actor of the UsernameToken header with the login-name -->
       <parameter name="headerActor" value="loginName"/>
     </handler>
   </requestFlow>

that's about it.

the best documentation on WSS4J (or at least links to it) SHOULD be in the
Wiki ( http://wiki.apache.org/ws/FrontPage/WsFx ) but i'm not certain one
could say that yet...  i keep a short list of good resources i've found here
http://wiki.apache.org/ws/RonReynolds/Wss4jLinks but it's only a handful of
links but it might give you a starting point. :)  search around in the Wiki
and then your next best bet are the 2 wss4j docs and then Google...

..................ron.

 

Thx for your help. I figured it out now. Didnt see one section of the
WSS4J documentation. You can set the EngineConfiguration to use a wsdd
file inside the program code. As long as this is readable from the
servlet everythings fine.
Is there any good tutorial or documentation on developing these Handlers
like you explained below? I dunno if you mind sharing your Handler
implementation. It would be interesting to see how you did this.
Thanks alot!
Michael

   

i haven't tried this.  it certainly must be possible, but right now i haven't
the time to figure it out.

i would start at MessageContext.getAxisEngine().getGlobalRequest() and search
in that area.  the file itself is loaded by
org.apache.axis.configuration.EngineConfigurationFactoryDefault.  also i seem
to remember someone mentioning that you could access the global request flow
and insert a handler into that flow at runtime.  also if you have permissions
you can call System.setProperty() from a startup servlet (if you want a
possibly much simpler solution that opens up a bunch of possible bugs if
another servlet in the same servlet engine tries to connect to a different
web
service...)

sorry i couldn't be of more help. :-/
...............ron.




     

Ok...i dont use the client_deploy.wsdd....is there any way to avoid
using it? I have the client inside a servlet so i cant specify it with
the java -D.... command line.
Thx!
Michael



       

do you have this in your client-config.wsdd?
<deployment ...>
<transport .../>
<globalConfiguration>
 <requestFlow>
   <!-- add the header that carries the user's login-name -->
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
     <parameter name="action" value="UsernameToken"/>
     <parameter name="actor"  value="loginName"/>
     <parameter name="passwordCallbackClass" value="PWCallback"/>
   </handler>
?

otherwise there won't be any handler in the request flow that knows what to
do
with those properties.

hth.
.............ron.




         

Ok, so i got the server working basically (i think) but when calling it
i get the following exception at the client:

AxisFault
faultCode:
{http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: WSDoAllReceiver: Request does not contain required
Security header


Thats the client code so far:

try {
       binding = new al.JCT.service.JCTServiceLocator().getJCTSession();
       Stub axisPort = (Stub)binding;
       axisPort._setProperty(UsernameToken.PASSWORD_TYPE,
WSConstants.PASSWORD_DIGEST);
       axisPort._setProperty(WSHandlerConstants.USER, "wss4j");
       axisPort._setProperty(WSHandlerConstants.PW_CALLBACK_REF, new
PWCallback());
   }
   catch (javax.xml.rpc.ServiceException jre) {
       jre.printStackTrace();
       return;
   }

   try {
       al.JCT.service.Job[] value = null;
       String ids[] = {"1218"};
       value = binding.getJobStatus("rudi", "qw", null, ids);
       if (value != null) {
         for (int i=0; i < value.length; i++) {
           System.out.println(value[i].getId() + " - " +
value[i].getName() + " - " + value[i].getPe());
           System.out.println(value[i].getReservations());
           System.out.println(value[i].getOutputPaths()[0].getPath());
         }
       }
       binding.submitJob(null, null, null);
   }
   catch (java.rmi.RemoteException re) {
     re.printStackTrace();
     return;
   }


Any ideas on this one?

Thx!
Michael





           

you can extract all the security info by looking at the Vector stored
as a property in the MessageContext:
Vector resultHandlers =
(Vector)MessageContext.getCurrentContext().getProperty(WSHandlerConstants.RECV_RESULTS);


this vector contains, as far as i can tell, everything you could want
to know.
or you can extract the username from the message itself -
ArrayList actorList = new ArrayList();
actorList.add("actor value for my UsernameToken entry");
Message request = MessageContext.getCurrentContext().getRequestMessage();
SOAPEnvelope envelope = (SOAPEnvelope)request.getSOAPEnvelope();
Vector headers = envelope.getHeadersByActor(actorList);
SOAPHeaderElement header = (SOAPHeaderElement)headers.get(0);

you can then extract the actual username by walking the DOM tree to
the node which contains the username
MessageElement usernameTokenElement =
header.getChildElement(USERNAME_TOKEN_QNAME);
MessageElement usernameElement =
usernameTokenElement.getChildElement(USERNAME_QNAME);
String username = usernameElement.getValue();

(you'll also need these)
static final QName USERNAME_TOKEN_QNAME = new
QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN);
static final QName USERNAME_QNAME = new QName(WSConstants.WSSE_NS,
WSConstants.USERNAME_LN);

in my app i have a handler which i put in the request chain right
after the WSDoAllReceiver which extracts the username using the above
code, does an LDAP lookup of the user to gather roles, and then
creates an app-specific user object which it stores it as a properly
in the MessageContext where anyone in the handling chain can then
extract it via getProperty().

hth.
......................ron.

Michael Rudolf wrote:





             

Thanks a lot for the detailed description! I think this will work
fine for me. One more question about this though: Can i read the
username inside the web service? Or is there any way of getting
information like the group a user belongs to inside the web service
to read it there? It sounds like the Service does get any of this
info since the authentication is completely transparent to the
service itself.
Thanks.
Michael





               

by "Web Services are made out of Session EJBs" you mean you have
Session EJBs that expose a SOAP-over-HTTP interface?  WSS4J uses 2
handlers, one client-side and one server-side (WSDoAllSender
(client) and WSDoAllReceiver (server)) which plug into the handler
chain supported by Axis to "intercept" the request on its way to the
server.  WSDoAllSender adds a WSSecurity header to the SOAP message
on send (configured using a properties file).  WSDoAllReceiver then
processes the incoming message, validates whatever it's configured
to validate and then passes the request on to your handlers/service
(or rejects the message if it does not validate properly).  to add
UsernameTokens to a request and process them on the server requires
a CallbackHandler on the client side which can provide the password
for a user.  this is then processed into a UsernameToken, included
in the SOAP header, and on the server side you'll need another
CallbackHandler which can provide the password for the user (pulled


                 

from LDAP) which WSS4J will compare to what's provided in the


               

UsernameToken and thus authenicate the message before your service
(however it's implemented) ever gets called.  it's quite transparent
for the most part.  it also inserts a few entries in the
MessageContext so you can later determine what kind of authenication
has been done.

hth.
.......................ron.
Michael Rudolf wrote:





                 

Is there any difference in case the Web Services are made out of
Session EJBs? Or does WSS4J work the same way in that case?
Thanks!
Michael





                   

you may want to look at WSS4J and UsernameTokens.  they're pretty
straight-forward as long as your client can support them.  they
are part of
the WS-Security standard if you want to stick with "endorsed"
authentication
mechanisms.  then on the server-side you'll typically need a JNDI
interface to
your LDAP server to authenticate the user on that side.

hth.
................ron.







                     

Hi,
is there any tutorial or example for authenticating users of we
services
by username and pass over HTTPS? Can anybody explain in more
detail how
this works? Is there any alternative to it? I want to query axis web
sercvices from a portal. That uses LDAP for authetication. I
would like
to use the same directory for authenticating the users at the web
services that are being queried.
Thanks for any help!
Michael