Karl is right

Majority of architects would design a solution which would authenticate at 
initial entry point either 
1) the webserver or 
2) customer-facing servlet (which would implement the NTLM provider with 
HttpClient...)

BUT:
Lets say you're a Scandanavian Mobile Phone manufacturer and you want to open 
up a direct SOAP interface for your high profile clients (e.g. BestBuy and or 
Staples)
you can achieve a secure soap service with rahas and rampart Axis modules
Here is a sample service configurator that comes with Rampart security module 
(named s5-services.xml)

<service name="SecureService">
 <module ref="rampart"/>
 <module ref="rahas"/>
 <parameter locked="false" 
name="ServiceClass">org.apache.rahas.Service</parameter>
 <operation name="echo">

 
  <messageReceiver 
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>

  <actionMapping>urn:echo</actionMapping>
 </operation>
    <parameter name="saml-issuer-config">

<!-- start NTLM specific -->
  <saml-issuer-config>
   <issuerName>Test_STS</issuerName>
   <issuerKeyAlias>ip</issuerKeyAlias>
   <issuerKeyPassword>password</issuerKeyPassword>
            <cryptoProperties>
               <crypto 
provider="org.apache.ws.security.components.crypto.Merlin">
                    <property 
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
                    <property 
name="org.apache.ws.security.crypto.merlin.file">rahas-sts.jks</property>
                    <property 
name="org.apache.ws.security.crypto.merlin.keystore.password">password</property>
                </crypto>
            </cryptoProperties>
            <timeToLive>300000</timeToLive>
   <keySize>256</keySize>
   <addRequestedAttachedRef />
   <addRequestedUnattachedRef />
    
     <!-- code a new Java Class which would implement SAMLCallbackHandler and 
implement NTLM auth -->
     
<dataCallbackHandlerClass>org.apache.rahas.SAMLDataProvider</dataCallbackHandlerClass>
            <!--
               Key computation mechanism
               1 - Use Request Entropy
               2 - Provide Entropy
               3 - Use Own Key
            -->
            <keyComputation>2</keyComputation>
            <!--
               proofKeyType element is valid only if the keyComputation is set 
to 3
               i.e. Use Own Key
               Valid values are: EncryptedKey & BinarySecret
            -->
            <proofKeyType>BinarySecret</proofKeyType>
            <trusted-services>

    <service 
alias="bob">http://localhost:5555/axis2/services/SecureService</service>
    <service 
alias="bob1">http://localhost:5555/axis2/services/SecureService1</service>
    <service 
alias="bob2">http://localhost:5555/axis2/services/SecureService2</service>
    <service 
alias="bob3">http://localhost:5555/axis2/services/SecureService3</service>

    <!-- you can change the PortNumber but you will need to update the 
following Server and Client files -->
.\src\main\java\org\apache\axis2\integration\UtilServer.java
.\src\main\java\org\apache\axis2\integration\UtilsTCPServer.java  
.\src\main\java\org\apache\rahas\TestClient.java  
   <!-- end file listing with hardcoded Port numbers --> 

</trusted-services>
  </saml-issuer-config>
    </parameter>
 <parameter name="InflowSecurity">
      <action>
        <items>UsernameToken Timestamp</items>

<!-- custom Callback class implements 
javax.security.auth.callback.CallbackHandler for incoming requests -->
  <passwordCallbackClass 
xmlns="">org.apache.rahas.PWCallback</passwordCallbackClass>
      </action>
    </parameter>
    <parameter name="OutflowSecurity">
      <action>
        <items>Timestamp</items>
        <user>ip</user>

<!-- custom Callback Class implements 
javax.security.auth.callback.CallbackHandler for outgoing responses -->
     <passwordCallbackClass 
xmlns="">org.apache.rahas.PWCallback</passwordCallbackClass>
  <enableSignatureConfirmation>false</enableSignatureConfirmation>
      </action>
    </parameter>
</service>

More information on implementing custom security providers in rampart available 
at
http://axis.apache.org/axis2/java/rampart/

Viel Gluck!
Martin 
______________________________________________
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.

________________________________
> From: karl.wri...@nokia.com 
> To: java-dev@axis.apache.org; java-dev-...@axis.apache.org 
> Subject: RE: [axis2] NTLM v2 Authentication using Apache Axis2 Java Client 
> Date: Fri, 1 Mar 2013 13:25:10 +0000 
> 
> 
> The HttpComponents/HttpClient implementation of NTLM contains modern 
> and tested support for this functionality. I have no idea what the 
> Axis implementation is based on, but probably it is extremely old and 
> out of date. 
> 
> 
> 
> Karl 
> 
> 
> 
> From: ext ajaya_senap...@dell.com [mailto:ajaya_senap...@dell.com] 
> Sent: Friday, March 01, 2013 6:45 AM 
> To: java-dev@axis.apache.org; java-dev-...@axis.apache.org 
> Subject: [axis2] NTLM v2 Authentication using Apache Axis2 Java Client 
> 
> 
> 
> Hi All, 
> 
> 
> 
> I am using Apache Axis2 v1.6.2 for generating the web service code 
> using wsdl2java utility. 
> 
> The web service I am trying to connect uses NTLM v2 authentication ( 
> using 
> org.apache.axis2.transport.http.HttpTransportProperties.Authenticator 
> - Authenticator.NTLM). 
> 
> 
> 
> The client code I am using always returns me back “401 – Unauthorized” 
> response. 
> 
> I have browsed through different site, but did not get any help. 
> 
> 
> 
> Can anybody suggest me how can this issue be fixed? 
> 
> 
> 
> Thanks & Regards 
> 
> Ajaya Kumar Senapati                                    
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to