Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

WebLogic is intercepting credentials passed to webservice

 
Dorte Skriver
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all - hope someone can help me.

I have deployed a webservice with a custom AuthenticationHandler:


When I deploy it on resin or WebSphere, everythings works fine, but when I deploy it on WebLogic, I always get a (401)Authorization Required.

WebLogic somehow "bypasses" my custom authentication implementation, when I provide credentials.

If I don't provide any credentials, I actually hit my custom authentication handler, but if i do provide credentials, it seems that WebLogic intercepts the call and tries to authenticate the provided user, which fails (as it should), and my implementation is never called.

So basically my question is: how do I stop WebLogic from trying to "take over" authentication ??

Sincerly,
Dorique
 
Deepak Bala
Bartender
Posts: 6663
5
Firefox Browser Linux MyEclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you provide some more details. Is the URL that you are trying to hit protected by WL for some reason ? Do you have a URL pattern mapping that is protected by a security role ?
 
Dorte Skriver
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All security is default, i.e. only DD (and there is no security conf in web.xml), no url-mappings or anything.
Only the default "myrealm" security realm.

 
Roger Brillant
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(I know this is a somewhat aging thread but in case this is of use to anyone else...)

If your custom authentication is using HTTP basic authentication, this is most likely your problem:

The default behavior of Weblogic is to intercept HTTP basic authentication headers and handle them itself, even if no security is configured for the application. To switch this behavior off, add this line

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

in the <security-configuration> section of the config.xml file for your Weblogic domain.

Ref: http://www.weblogicspecialist.com/sites/weblogicspecialist.nsf/docs/Setting%20the%20enforce-valid-basic-auth-credentials%20Flag
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic