Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Minimal settings in web.xml to allow Authorization header to be manually processed?

 
David Karr
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(This is reposted from the engineering-security forum, but I realized later that forum isn't as active as this one.)

I'm building an app using Apache CXF (JAX-RS), running in WebLogic 10.3.2.

I have a nice set of resource methods that work fine. I now need to implement some sort of authentication/authorization, but it will have to be managed by the application, not the container. I implemented a request handler in CXF that should allow me to look at the principal and credentials that were sent in the Authorization header. However, when I configured my test client to send a manually-constructed Authorization header (which I obtained from a tutorial on basic auth), my request got a 401 back without even getting into my application code on the server.

That tells me that I probably have to implement some of the "security"-related elements in my application's web.xml, although I just need to tell it to let everyone in, but give me the principal/credentials that were sent. I started to construct the "security-constraint" and "login-config" elements, but I'm not sure what minimal settings I need to get me past this obstacle.

I've started with the following, but I'm not sure what I need:

<security-constraint>
<web-resource-collection>
<web-resource-name>myapp</web-resource-name>
<url-pattern>/rest</url-pattern>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

I've tried several variations of this, but I still get an immediate 401 when I send the Authorization header.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic