• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

passing password credential from one application server to another

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

Has anybody faced this issue of passing credentials from one application server(say X) to another (say Y)? There is an application on server X which makes a web service call to the other (Y). The X application needs to send username and password information to Y to create a login context on Y.
Thanks in advance....
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
WSS4J (on ws.apache.org) is the standard Java implementation of the WS-Security standard, which specifies how usernames and passwords are used with WS.

If you're not actually talking about passwords for WS, but using WS for transporting passwords for other purposes, then the best option probably is to treat the usernames/passwords as regular strings of data, and to encrypt them in transit.
 
sandhya mridul
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks for your reply. Yes i mean transporting the username/password for retrieving data filtered on the username. I am using weblogic as the client for the web service call. Yes the password will be passed as data string, but I don't want to hardcode the password value. Is there a way in which the weblogic api allows users to retrieve it at runtime?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't understand what you mean by "hardcoding". The string would be a regular parameter (although encrypted), and its value could/would change for every invocation of the WS.

I also don't understand what this means: "Is there a way in which the weblogic api allows users to retrieve it at runtime?" WL is the WS client, so it doesn't retrieve the username at runtime, it sets it.

Maybe you can describe in more detail how the process should work.
 
sandhya mridul
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
its like this..
a secured jsp page is submitted to a servlet. We make a webservice call from weblogic to another application server. Now this call needs to pass username/pasword to the other application server.
Since we are using basic authentication for the WL application, WL wil have retrieve the username/password and set it in the WS call. We are not able to figure out how to retrive username/password using WL APIs, so we are setting them explicitly, ie. harcoding them.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, you want to pass the username/password used for accessing the web app on the first app server to be passed on as part of the WS call to the second app server.

You can use the HttpServletRequest.getRemoteUser and getPrincipal methods to determine which user is currently accessing the system. Then you can use that username to retrieve the password from whichever repository the WL server uses to authenticate users.
 
sandhya mridul
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
we have been trying apis in the weblogic.security and related packages, but are not able to hit on anything. We find that the credentials are either hashed or encrypted internally by WL. Can you help us on this? Thanks for your replies...
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you saying that you tried both getRemoteUser and getPrincipal, and that neither of them returned a cleartext username? That would be a violation of the Servlet API, so I think you might be doing something wrong.

Where (e.g., database, LDAP, ...) does WL look for its username/password information? You should be able to access that user directory by some other means to get at the password (of course, the password might be hashed in that directory, in which case you won't be able to get at it in cleartext). But since the user is authenticated already, wouldn't it be sufficient to just pass along the username?
 
sandhya mridul
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
getPrincipal() does return a cleartext username, but the password is not in clear text. Actually, no authentication on the other end should be required, but the java proxy that is generated from the wsdl (the web service is on the other application server), does not give me an api to pass only the username. It either takes no arguments or both username and password.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Then you should look into the second part of my previous post - either retrieve the password from the repository, if feasible, or have the provider of the WS add a method call that takes just a username.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic