New article: Web Services Authentication with Axis 2

The current issue of the JavaRanch Journal has an article by -ahem- your truely about Web Services Authentication with Axis 2. You can check it out here, and if you have comments or question, feel free to post them in this thread.

Very nice and useful article Ulf.
I was looking for such one.
Regards
Balaji

Firstly: I hate the name Axis2. Axis2 1.3 is as bad as Java2 1.5, stupid marketing.

I had a similar discussion a while ago on just this topic, and the suggestion I was given was almost exactly the same: use the inflow/outflow model to parse the security header and NOT to include the security in the WSDL definition.

Why are you using the OutflowSecurity rather than InflowSecurity?

Why are you using the OutflowSecurity rather than InflowSecurity?[/QB]

I'm generally more concerned with having the client properly authenticate itself to the server, rather than the other way around. The assumption is that this is a publicly accessible service, and that it is the client that is inherently untrusted, not the server. (If encryption was used, one would want to apply it both ways.)

this information is very useful because i need to put the same soap request for accessing web serivce (Timestamping, Authentication, Encryption and Signature)i generated the client code using RAD and in the web services web browser i got methods for accessing web services but when i invoke the methods i am gettingg exception in the results page.so i need to set the username and password using (Timestamping, Authentication, Encryption and Signature) apache axies run time environment i dont know how to write the client for settting the username and password how i get these type of soap request and response if i get these type of soap request i may get the soap response (result).can you please help m in this one.

thanks.

Originally posted by rajini kriya:
so i need to set the username and password using (Timestamping, Authentication, Encryption and Signature)

The article shows how to set username and password using WS-Security with Axis. That has nothing to do with timestamps, encryption or signing, though.

I tried copying the file rampart1.1 in to the modules directory and I'm seeing it being listed under Faulty Modules. Does anybody see the same error ?

Thanks

- Harjit

Originally posted by Harjit Singh:
I tried copying the file rampart1.1 in to the modules directory and I'm seeing it being listed under Faulty Modules.

Which Axis version are you using? Rampart 1.1 is meant for Axis2 1.1. If you're using Axis2 1.2 or 1.3, you should download the Rampart version that goes with those. Look for "Modules" on the download page.

I have AXIS 1.3 Here is the output from the HappyAxis.jsp

Found Axis2 default Version service and Axis2 is working properly.
Now you can drop a service archive in axis2/WEB-INF/services. Following output was produced while invoking Axis2 version service

Hello I am Axis2 version service , My version is 1.3

I tried and copied rampart1.3 .mar and still the same issue.

- Harjit

Hi,

I am having a similar issue with rampart1.3 and axis2 version 1.3.

Axis2 reports no errors on the HappyAxis page, however, when checking if rampart is loaded correctly only rahas shows under the available modules. rampart-1.3 is listed under the faulty modules section.

Did you have any luck in discovering what the issue is?

Thanks for any help.
Aoife.

Originally posted by Harjit Singh:
I have AXIS 1.3 Here is the output from the HappyAxis.jsp

Found Axis2 default Version service and Axis2 is working properly.
Now you can drop a service archive in axis2/WEB-INF/services. Following output was produced while invoking Axis2 version service

Hello I am Axis2 version service , My version is 1.3

I tried and copied rampart1.3 .mar and still the same issue.

- Harjit

Place those MAR files (rampart, rahas and addressing) on the same class path of axis2 jar files on the client side and then the client side code would work correctly. I just tested it with the version of Axis2 1.3.

Make the server side run with rampart is less painful but it is not headache free.

Go with Apache CXF as it is such a good experience to feel it yourself.

I just noticed that the article only mentions that rampart.mar should be copied to the Axis WEB-INF/lib directory. In fact, the addressing.mar file also needs to be copied. I've changed the article accordingly.

Hey, I had the same problem when trying to put rampart to work with Tomcat. The solution that worked for me was to copy the jars in the rampart lib directory to the ...\apache-tomcat-6.0.16\webapps\axis2\WEB-INF\lib\ folder as well and restart Tomcat.

I've a problem, tried running the example in this article and after setting everything up ok, I get the following error:

WSDoAllReceiver: Incoming message does not contain required Security header
in TCPMonitor...as I am pretty new to web services and Axis2 especially, I would really need some help with this.

WSDoAllReceiver: Incoming message does not contain required Security header in TCPMonitor...

Does TCPMonitor show that those headers are present? The article describes how they look like.

How are you running the example?

Hi Ulf,
Nice article.

I have one issue - I am using an .Net webservice.
It uses NTLM authentication.
Can you please guid me how i can use Axis2 to authenticate against this web service.

Regards
Harry

I am using an .Net webservice. It uses NTLM authentication.
Can you please guid me how i can use Axis2 to authenticate against this web service.

Neither Axis nor WS-Security support NTLM, so you will need to roll your own. If you're writing a Java client, have a look at the HttpClient library; it supports NTLM authentication. That doesn't help much with sending XML, though. You'll need to generate the SOAP programmatically, and then hand that to HttpClient to send. Not particularly hard to do, but kind of a hack.

WS-Security is the way to go for this kind of authentication.

How to configure Axis2 to support Basic, NTLM and Proxy authentication?

Basic,Digest and NTLM Authentication

org.apache.axis2.transport.http.HttpTransportProperties.Authenticator

Originally posted by Ulf Dittmer:
WS-Security is the way to go for this kind of authentication.

If you can get the publishers of the web service to see the (interoperability) errors in their ways ...
[ March 04, 2008: Message edited by: Peer Reynders ]

Basic,Digest and NTLM Authentication

I stand corrected. I completely missed that Axis 2 can do this now. But it seems that this is about the server side; can it be used in a similar way for the client side?

HttpClient supports three different types of http authentication schemes: Basic, Digest and NTLM. ... NTLM is the most complex of the authentication protocols supported by HttpClient. ... These differences are generally handled by HttpClient...

The use of the Commons HttpClient made me assume that they are talking about the client side Axis2 libraries. I certainly wouldn't expect the server side to implement NTLM authentication.
[ March 04, 2008: Message edited by: Peer Reynders ]

Very good articles Ulf!

Only you was able to make me understand WS-Security

But I feel WSS isn't worth at all. As I can understand it uses either plaintext password or encrypts it.

For plaintext there's no security, and a simple parameter inside operations could pass username and password from client to server.

And for encryption, it's very interesting that we can use our own extended class to handle it. But syncronous encryption is useless for general client use, because if the key is stolen it will be used to steal password.

And if we use asynchronous encryption, we already have HTTPS, which is simpler and doesn't create complexity for neither the SOAP server or the client. The advantage would be that only password is being encrypted and not the whole message, but Axis2 adds around 4-6 milisecs of overhead, so I think HTTPS overhead wouldn't be so expensive in this context, with the advantage of having whole message protected.

The password isn't sent encrypted, it's sent hashed, and that is handled by the WS engine - so there is no need to for a pre-shared password of some kind. It seems that you're mixing up the handling of the password for WS Authentication with the handling of keys for WS Encryption.

HTTPS works on the transport level, rather than the message level. For many deployment scenarios that may be sufficient, but for some it isn't. It's also only applicable for HTTP communication (which admittedly covers the vast number of SOAP calls, but not all).