digest authentication on client side implementation.

Hi
My project has webservices that are using digest authentication. I am trying to modify client implementation(JAX-RPC) to include unsername and password. i am using axis 1. i got how to include basic authentication from here . but not able to find one for digest authentication. webservices work fine using soap UI using username and password. if anyone has implemented digest authentication on client side, can you please help me in modifying client code, or appreciate if you can point me to sources.
thanks

Does the servlet container you're using to run Axis even support digest authentication?

we are using spring framework. and in securityPolicy.xml , configuration to use digest authentication has been set in this way.
<xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>

Should I check any where else to know that it supports digest authentication?

I can run this webservice from SOAP UI. by giving username and password credentials. there is an option to select wss-passowrd Type. I chose password digest option. here is request soap message generated.
<soapenv:Envelope xmlns:sch="http://www.name.com/c2/buyer/schemas" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">[\r][\n]" <soapenv:Header>[\r][\n]" <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">[\r][\n]" <wsse:UsernameToken wsu:Id="UsernameToken-374859" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">[\r][\n]" <wsse:Username>205804</wsse:Username>[\r][\n]" <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">5NoJ/24M4x1U2P6AQDPkyfhmuPM=</wsse:Password>[\r][\n]" <wsse:Nonce>k0zsYvVYFsgSwVqxALzw+Q==</wsse:Nonce>[\r][\n]" <wsu:Created>2009-10-08T17:04:04.211Z</wsu:Created>[\r][\n]" </wsse:UsernameToken>[\r][\n]" </wsse:Security>[\r][\n]" </soapenv:Header>[\r][\n]" <soapenv:Body>[\r][\n]" <sch:BidLimitsSummaryRequest/>[\r][\n]" </soapenv:Body>[\r][\n]" </soapenv:Envelope>"


here is java client which should be modified for adding digest authentication.

package com.name.c2.buyer.schemas; public class AuctionItemsFetcher { public static AuctionItem[] getAuctionItemsList(String type) { try { System.out.print("Within AuctionItemFetcher() . . . "); LotsServiceLocator serviceLocator = new LotsServiceLocator(); Lots lots = serviceLocator.getLotsSoap11(); AuctionItemsRequest auctionItemsRequest = new AuctionItemsRequest(); auctionItemsRequest.setType(type); //System.out.println("Using basic authentication"); // to use Basic HTTP Authentication: //((Stub) lots)._setProperty(Call.USERNAME_PROPERTY, "user name"); //((Stub) lots)._setProperty(Call.PASSWORD_PROPERTY, "password"); System.out.println("Returning from AuctionItemFetcher()"); return lots.auctionItems(auctionItemsRequest); // return new QueryItem[0]; } catch (Exception e) { e.printStackTrace(); return new AuctionItem[0]; } } public static void main(String[] args) { AuctionItem[] autionItems = (AuctionItem[]) getAuctionItemsList("F|V"); System.out.println(autionItems.length); } }

So you're not talking about HTTP Digest Authentication, you're talking about a WS-Security Username token that has been digested. That works in an entirely different way, and will not be easy to add to your client (particularly since it uses the JAX-RPC API, which is obsolete).

Which SOAP stack are you using on the client side?

that's right Ulf. It is not http digest authentication rather i need to send soap headers with this authentication details.
i see axis and saaj on client side.

Looking at your code, I think it's more likely that it's using JAX-RPC (which you mentioned in the first post) than SAAJ. Thus you'd be using Axis 1 (and not Axis 2, which does not support JAX-RPC). Luckily for you, someone has written up how to secure an Axis 1-based web service - I did! :-) Read it, work through the examples, see how they might apply to your code, and come back with questions if something doesn't make sense.

hi Ulf
a client deployment descriptor, which tells WSS4J how to handle security for the request on the client: client_deploy_sec.wsdd


this is given as one of the steps. how do i find for this file. i searched workspace for any file with wsdd extension and found none.
can you elaborate a bit on this. like what other elements will it have.

hi ulf
<handler type="java:org.apache.ws.axis.security.WSDoAllSender"> <parameter name="action" value="UsernameToken"/> <parameter name="user" value="wsuser"/> <parameter name="passwordCallbackClass" value="fibonacci.handler.PWCallbackClient"/> <parameter name="passwordType" value="PasswordText"/> <!-- <parameter name="passwordType" value="PasswordDigest"/> --> </handler>

here in deployment descriptor you are giving user name value. i get username in client. so i will not know before hand what values to set in deployment descriptor. i donot need to check whether this user is valid or not on client side, server side web service takes care of that. i found a way to access headers in client. SOAPHeaderElement[] headers = ((Stub) lots).getHeaders(); for(SOAPHeaderElement header :headers){ System.out.println(header.getName()); System.out.println(header.getValue()); }

so should i try to set soap headers such that it looks similar to soap request generated by SOAP UI?

this is given as one of the steps. how do i find for this file.

The download that comes with the article has that, and everything else you need to get the examples running (except for Axis itself and WSS4J - just follow the links in the articles).

Hi
I am following source code that you gave. According to that sample code, i am writing deploy.wsdd file. it requires class name of webservice. How do you find class name of webservice from wsdl? here is my wsdd. <service name="bidLimits-sec" provider="java:RPC" style="document" use="literal"> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="passwordCallbackClass" value="PWCallbackClient"/> <parameter name="action" value="UsernameToken"/> </handler> </requestFlow> <parameter name="className" value="[b]samples.stock.StockQuoteService[/b]"/> <parameter name="allowedMethods" value="getQuote"/> <parameter name="scope" value="application"/> </service>

I need to replace samples.stock.StockQuoteService with my web service class name. I have wsdl. <wsdl:definitions targetNamespace="http://www.copart.com/c2/buyer/schemas"> − <wsdl:types> − <schema attributeFormDefault="unqualified" elementFormDefault="qualified" targetNamespace="http://www.copart.com/c2/buyer/schemas"> + <element name="BidLimitsSummaryRequest"> <complexType/> </element> + <element name="BidLimitsSummaryResponse"> − <complexType> − <sequence> <element ref="tns:BidLimitsSummary"/> </sequence> </complexType> </element> + <element name="BidLimitsSummary"> − <complexType> − <sequence> <element name="BidLimitCount" type="integer"/> <element name="BidLimitAmount" type="integer"/> <element name="BidLimitCountCurr" type="integer"/> <element name="BidLimitAmountCurr" type="integer"/> </sequence> </complexType> </element> + <element name="queryItemsRequest"> <complexType/> </element> + <element name="queryItemsResponse"> − <complexType> − <sequence> <element maxOccurs="unbounded" ref="tns:queryItem"/> </sequence> </complexType> </element> + <element name="queryItem"> − <complexType> − <sequence> <element name="type" type="string"/> <element name="description" type="string"/> </sequence> </complexType> </element> + <element name="auctionItemsRequest"> − <complexType> − <sequence> <element minOccurs="0" name="type" type="string"/> </sequence> </complexType> </element> + <element name="auctionItemsResponse"> − <complexType> − <sequence> <element maxOccurs="unbounded" ref="tns:auctionItem"/> </sequence> </complexType> </element> + <element name="auctionItem"> − <complexType> − <sequence> <element name="lotNumber" type="integer"/> <element name="bidderNumber" type="integer"/> <element name="lotYear" type="string"/> <element name="make" type="string"/> <element name="model" type="string"/> <element name="currentBid" type="decimal"/> <element name="percentChange" type="decimal"/> <element name="imagePath" type="string"/> </sequence> </complexType> </element> </schema> </wsdl:types> − <wsdl:message name="BidLimitsSummaryRequest"> <wsdl:part element="tns:BidLimitsSummaryRequest" name="BidLimitsSummaryRequest"> </wsdl:part> </wsdl:message> − <wsdl:message name="auctionItemsResponse"> <wsdl:part element="tns:auctionItemsResponse" name="auctionItemsResponse"> </wsdl:part> </wsdl:message> − <wsdl:message name="queryItemsResponse"> <wsdl:part element="tns:queryItemsResponse" name="queryItemsResponse"> </wsdl:part> </wsdl:message> − <wsdl:message name="auctionItemsRequest"> <wsdl:part element="tns:auctionItemsRequest" name="auctionItemsRequest"> </wsdl:part> </wsdl:message> − <wsdl:message name="queryItemsRequest"> <wsdl:part element="tns:queryItemsRequest" name="queryItemsRequest"> </wsdl:part> </wsdl:message> − <wsdl:message name="BidLimitsSummaryResponse"> <wsdl:part element="tns:BidLimitsSummaryResponse" name="BidLimitsSummaryResponse"> </wsdl:part> </wsdl:message> − <wsdl:portType name="Buyer"> − <wsdl:operation name="auctionItems"> <wsdl:input message="tns:auctionItemsRequest" name="auctionItemsRequest"> </wsdl:input> <wsdl:output message="tns:auctionItemsResponse" name="auctionItemsResponse"> </wsdl:output> </wsdl:operation> − <wsdl:operation name="queryItems"> <wsdl:input message="tns:queryItemsRequest" name="queryItemsRequest"> </wsdl:input> <wsdl:output message="tns:queryItemsResponse" name="queryItemsResponse"> </wsdl:output> </wsdl:operation> − <wsdl:operation name="BidLimitsSummary"> <wsdl:input message="tns:BidLimitsSummaryRequest" name="BidLimitsSummaryRequest"> </wsdl:input> <wsdl:output message="tns:BidLimitsSummaryResponse" name="BidLimitsSummaryResponse"> </wsdl:output> </wsdl:operation> </wsdl:portType> − <wsdl:binding name="BuyerSoap11" type="tns:Buyer"> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> − <wsdl:operation name="auctionItems"> <soap:operation soapAction=""/> + <wsdl:input name="auctionItemsRequest"> <soap:body use="literal"/> </wsdl:input> + <wsdl:output name="auctionItemsResponse"> <soap:body use="literal"/> </wsdl:output> </wsdl:operation> + <wsdl:operation name="queryItems"> <soap:operation soapAction=""/> + <wsdl:input name="queryItemsRequest"> <soap:body use="literal"/> </wsdl:input> + <wsdl:output name="queryItemsResponse"> <soap:body use="literal"/> </wsdl:output> </wsdl:operation> + <wsdl:operation name="BidLimitsSummary"> <soap:operation soapAction=""/> + <wsdl:input name="BidLimitsSummaryRequest"> <soap:body use="literal"/> </wsdl:input> + <wsdl:output name="BidLimitsSummaryResponse"> <soap:body use="literal"/> </wsdl:output> </wsdl:operation> </wsdl:binding> − <wsdl:service name="BuyerService"> + <wsdl:port binding="tns:BuyerSoap11" name="BuyerSoap11"> <soap:address location="/services"/> </wsdl:port> </wsdl:service> </wsdl:definitions>


I am trying to secure auctionItems operation.


May I know how to find associated webservice class. I am really new to webservice. If this doubt is really simple, please suggest some tutorials such that i can get this information.
thanks

That sounds a bit odd. Are you starting out with a WSDL before you have the web service itself? That's a scenario I've never worked in, so I can't help with that. I've always started with the service, and then the SOAP implementation (Axis in this case) generates the WSDL from that.

But as regards the class name: you can choose whichever one you want, since the class name is not part of the WSDL.

hi Ulf,
I have web service already. and stubs are generated using wsdl2java. but while running them , it requires digest authentication because on server side web service requires username and password. so I am modifying client implementation such that it sends username and password details in soap:header .

I followed steps for configuring client in http://ws.apache.org/wss4j/axis.html

1. add client_deploy.wsdd to client side code. <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <globalConfiguration > <requestFlow > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="timeToLive" value="60"/> <parameter name="action" value="UsernameToken"/> <parameter name="user" value="wsuser"></parameter> <parameter name="passwordCallbackClass" value="PWCallbackClient"/> <parameter name="passwordType" value="PasswordDigest"/> </handler> </requestFlow> </globalConfiguration> </deployment>

2. added PWCallBackClient
package com.copart.c2.buyer.schemas; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class PWCallbackClient implements CallbackHandler { // the username and password to use for authentication private String user = "wsuser"; private String pwd = "happy"; public void handle (Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; if (user.equals(pc.getIdentifer())) { pc.setPassword(pwd); } } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } }
3a. In Fetcher class which calls stubs generated by wsdl2Java, i did pass username and password.
stub._setProperty(Stub.USERNAME_PROPERTY, "205804"); stub._setProperty(Stub.PASSWORD_PROPERTY, "happy");

3b. added client_deploy file programatically by placing it in same directory as other class files.

EngineConfiguration config = new FileProvider("client_deploy.wsdd"); LotsServiceLocator serviceLocator = new LotsServiceLocator(config);
When I run fetcher class, it is not able to find client_deploy.wsdd file using FileProvider.

As to #3a, you don't need that. Those passwords are for HTTP authentication, not for WS-Security authentication. The password gets sets by the code in #2.

As to#3b, try an absolute path.

hi Ulf,
I changed it to absolute path. It is getting deployment element of wsdd. however i am getting this exception.
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/xml/security/Init at org.apache.ws.security.WSSConfig.staticInit(WSSConfig.java:271) at org.apache.ws.security.WSSConfig.<init>(WSSConfig.java:296) at org.apache.ws.security.WSSConfig.getNewInstance(WSSConfig.java:305) at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:93) at org.apache.ws.axis.security.WSDoAllSender.invoke(WSDoAllSender.java:168) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at com.copart.c2.buyer.schemas.LotsSoap11Stub.auctionItems(LotsSoap11Stub.java:270) at com.copart.c2.buyer.schemas.AuctionItemsFetcher.getAuctionItemsList(AuctionItemsFetcher.java:41) at com.copart.c2.buyer.schemas.AuctionItemsFetcher.main(AuctionItemsFetcher.java:53) Caused by: java.lang.ClassNotFoundException: org.apache.xml.security.Init at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClassInternal(Unknown Source) ... 17 more . I have downloaded wss4j-1.5.7.jar and kept it in lib folder. am i supposed to get any other libraries?

I have downloaded wss4j-1.5.7.jar and kept it in lib folder. am i supposed to get any other libraries?

Yes, you need the "other jars" that can be downloaded in the same place as WSS4J itself.

I added xmlsec.jar and the control is going to PWCallbackClient . I observed that callbacks[] is picking username from client_deploy.wsdd. but i can't make list of all valid users in wsdd. so how would i just pass in these username and password wihtout actually checking against callbacks[] array.
here is my PWCallbackClient for reference.
public class PWCallbackClient implements CallbackHandler { // the username and password to use for authentication private String user = "205804"; private String pwd = "happy"; public void handle (Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; if (user.equals(pc.getIdentifer())) { pc.setPassword(pwd); } } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } }

I tried taking off username field from wsdd and it gives an exception saying that it is a mandatory field. Is there any work around such that i donot have to hard code usernames here in wsdd?

I observed that callbacks[] is picking username from client_deploy.wsdd.

I've no idea what you mean by this - the username is not part of any WSDD file; what are you referring to?

You need to alter the Java code so it accesses your user repository (maybe LDAP or a DB) and retrieves a list of the allowed users and their passwords, and then checks those against the username sent by the client in "pc.getIdentifer()".

Hi Ulf
I am referring to username given in wsdd configuration. Please have a look at my client_deploy.wsdd below. i highlighted user element.
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <globalConfiguration > <requestFlow > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="timeToLive" value="60"/> <parameter name="action" value="UsernameToken"/> [b]<parameter name="user" value="205804"></parameter>[/b] <parameter name="passwordCallbackClass" value="com.copart.c2.buyer.schemas.PWCallbackClient"/> <parameter name="passwordType" value="PasswordDigest"/> </handler> </requestFlow> </globalConfiguration> </deployment>


Webservice authentication check is done on serverside(called webservice). I am trying to access that webservice by writing client implementation. Since webservice requires username and password to be sent using digest, I am trying to send those username and password values in soap header. i came across this article. followed steps given there for "Configuring the Client". My requirement is to be able to access a webservice which requires username and password being sent using digest authentication. I will have username and password being passed and available in my client application. But i donot have access to LDAP in which i can validate whether this username is valid or not in my client application.

Hi Ulf,

Here is how soap request is sent using client_deploy.wsdd and PWCallBackClient.
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1"> <wsse:Username>205804</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">****</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dCMkJfJURpinTjfDXLMrkg==</wsse:Nonce> <wsu:Created>2009-10-13T18:12:25.851Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <auctionItemsRequest xmlns="http://www.copart.com/c2/buyer/schemas"> <type>F|V</type> </auctionItemsRequest> </soapenv:Body> </soapenv:Envelope>

username being sent is same as user given in client_deply.wsdd.

I am able to call webservice if i give username in client_deploy.wsdd. but i will not know before hand about all users.username and password are being passed from JavaFx front end.

I tried to follow alternate step given here.

Another way to do this is to have the client application set the username and CallbackHandler implementation programmatically instead of client_deploy.wsdd:

...
import org.apache.axis.client.Stub;
...

Remote remote = locator.getPort(StockQuoteService.class);
Stub axisPort = (Stub)remote;
axisPort._setProperty(UsernameToken.PASSWORD_TYPE, WSConstants.PASSWORD_DIGEST);
axisPort._setProperty(WSHandlerConstants.USER, "wss4j");
axisPort._setProperty(WSHandlerConstants.PW_CALLBACK_REF, pwCallback);

but it is still calling pwCallBack.

Ah, you're talking about the client now, not the server. This thread talks about two different approaches you could take, one using an OutflowConfiguration object, and one using a policy based configuration.

Hi Ulf
I did go through tutorial. according to what i understood, even the server side configuration need to use policy based configuration. that is, i should change web services(server side) athentication as well?

Not sure, I haven't used policy-based security. I guess if you check out the Rampart policy sample mentioned in that thread, it should become clear what's involved.