I'm building a java app that needs to get some data from a web service. I've been provided with a wsdl file and all the info I need, but getting back the 401 code, not authorised. I've been told by the guy who did the web service, that the web service directory in IIS must have anonymous authentication turned off therefore I need to pass windows credentials. I've been googling for a solution for quite a while but not found anything that doesn't pass the username and password directly. What I need to do is to use the credentials the user is logged in to windows, so that entering the username and password is no longer needed. Has anyone an experience with this? I found somethig called SPNEGO, but that also uses username and password directly.
Thanks for any help.
You did not write, which webservice framework you use (I assume you're not creating and sending the soap-request by hand).
I assume that the webservice is secured via http-basic authentication.
If I'd be you, I'd do a quick test with the testing tool soapUI which supports this feature against your webservice and check, if this is the case
(See: http://www.soapui.org/SOAP-and-WSDL/authenticating-soap-requests.html)
If you'll be succesful, you will need to pass the user and password within the http-header area.
(See part "client" here: http://en.wikipedia.org/wiki/Basic_access_authentication for an example value)
Yeah, sorry, forgot to mention that I'm using axis. Nevertheless, finally managed to authenticate to the service, as it turned out it didn't use the basic authentication but NTLM. So now I do something like this:
BAWebServiceLocator locator = new BAWebServiceLocator(getEngineConfiguration());
BAWebServiceSoap baWebServiceSoap = locator.getBAWebServiceSoap(url);
((Stub)baWebServiceSoap).setUsername(props.getProperty("username"));
((Stub)baWebServiceSoap).setPassword(props.getProperty("password"));
So I still have to pass in my username and password. What I'd like to do is to use the credentials that I am logged in to windows. Any ideas?
Related
I'm learning Web services. I have created an Rest API on local machine in eclipse. And the url looks like this http://localhost.com/Web/Test/Client
What It does is when I call this url as POST method with username and parameters in url's body, I get one token which I'm using somewhere else. Upto here its working fine. I pass username and password and I get a token once my API's code verifies the credentials coming in url's body.
So after that I read about security of Rest API so that no body could access my credentials which are coming with url. It says it needs to be converted into HTTPS from HTTP.
But I could not understand more how and where this security needs to be configured in my code. Do I need to write any code to achieve this or any settings are required ? I'm totally blank here.
Can anyone please help me to understand this and tell me what needs to be done to get HTTPS for my url ?
What you need to do here is create a self signed certificate and configure channel security. I highly recommend you to use spring security framework to get this thing done. This article will help you.
To require HTTPS for the login page modify your security configuration by adding the following:
http.requiresChannel()
.antMatchers("/login*").requiresSecure();
I'm new to java and I'm trying to understand the way we identify users who uses webservices.
The program will be downloaded from my website. It needs to make a connection to my server side web service program.
I think there are 2 options for identifying the user:
Register on website and download web service. A single user id key is then generated when downloading the program. I don't know if this is possible + verification of registration can only be done by email: not 100% sure of user identity.
Download web service and log in into it.
This seems a better way, but I'm not sure this is the way to do it...
Most services use HTTP authentication because the surrounding HTTP protocol already brings all the necessary features. Actually, your web service framework comes with all the plumbing necessary to easily set this up.
Another solution is to have a method which is called login() that takes a user name and a password. All other methods return errors until login() has been called successfully once.
Note that you must use HTTPS as protocol, otherwise passwords will be transmitted either as plain text or with a trivial encryption that is easy to break. Or to put it another way: Without HTTPS anyone willing to invest a couple of minutes of time will be able to use your service.
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
I need to know if a user entered correct login information to Microsoft Active directory
I want the user to enter username and password on an xpage and it should only return if these values was entered correctly or not.
I know I can use ldap requests and send in credentials but have not seen any working solutions for this.
I need to use java as the code should be able to run on non windows servers
There are a number of approaches you can take:
The easiest would be to link the AD to Domino using DirectoryAssistance and let users login using their AD credentials in the first place.
If IIS is running on the AD server you could send an HTTP request using the Apache HTTPClient (and basic authentication) and see what's coming back
The best working Java libraries are listed in the Apache Directory project. There you would do an LDAP query (e.g. the user herself)
Let us know which one works for you
You can use JNDI to access the Active Directory. There are a lot of ressources on the web on how to do this, for example have a look at http://mhimu.wordpress.com/2009/03/18/active-directory-authentication-using-javajndi/
You have tagged the question as XPage, do you want to do the authentication from inside domino? In that case the domino server could do the authentication.
I'm working on a server written in Java, and a client (a desktop application written in .Net) that runs on Windows machines on the same network. I would like to have some basic authentication so that the server can determine the username of the user running the client, without needing the user to re-enter their Windows password in the client.
Is this possible, and what's the simplest way to accomplish it?
I had a look at some of the available APIs, it looks as though the org.ietf.jgss package in Java, and NegotiateStream class in .Net, should probably be able to talk to one another to achieve this - but I keep hitting frustrating error messages I don't understand. I thought I'd check if this is the right approach, if so I'll post a separate question with more detail about the errors in question :)
The approach is the right one. Notice a number of things, though:
this will have nothing to do with "Basic Authentication" (in http)
.NET will try to use the SPNEGO GSS mechanism. See the Sun documentation for proper support of this mechanism.
your service will need to incarnate a service principal. So you need to create an Active Directory account not only for the user, but also for the service, and you need to put the service's password into the Java keytab.
If you're using Active Directory, I think the Spring LDAP module can offer you a nice way to access credentials.
Not being familiar with the GSS mechanism. I would suggest a shared key mechanism used in passwordless ssh.
This open source library http://spnego.sourceforge.net has exactly what you are looking for. It implements an HTTP Servlet Filter on the server so that your web-app can call request.getRemoteUser() to find out the username.