This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin in Action and have Dmitry Jemerov & Svetlana Isakova on-line!
See this thread for details.
Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

WSDL security policy username & password authentication  RSS feed

 
Rithanya Laxmi
Ranch Hand
Posts: 191
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am creating a WS policies in WSDL for username & password authentication , below is what I am using:-

<wsdl:service name="echoService">
<wsdl:port name="echoPort" binding="tns:echoBinding">
<soap:address location="http://pponnala-tecra-xp.stc.com:18181/
echoService/echoPort"/>
<wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
</wsdl:port>
</wsdl:service>

<wsp:Policy wsu:Id="HttpBasicAuthBindingBindingPolicy">
<mysp:MustSupportBasicAuthentication on="true">
<mysp:BasicAuthenticationDetail>
<mysp:WssTokenCompare/>
</mysp:BasicAuthenticationDetail>
</mysp:MustSupportBasicAuthentication>
<mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/
2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10>bobby</sp:WssUsernameToken10>
<sp:WssPassword>${pass_token}</sp:WssPassword>
</wsp:Policy>
</mysp:UsernameToken>
</wsp:Policy>

--------------------------------------------------------------------------------
Here I need to pass the <Wsspassword> in the respective placeholder from the application. How we can pass
the respective password to the <sp:WssPassword>${pass_token}</sp:WssPassword>? I have hardcoded with some
valid password. But it is not working. What I am doing wrong here? Is there any way we can validate the authentication
in a better way in WSDL? Also clarify now we can pass the password in the respective pass_token placeholder?
Please clarify.

Thanks.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am fairly certain that you can't define the username and password to be used in the WS-Policy. The policy merely states whether or not a username and/or password needs to be used. The specifics of how to pass the actual credentials are determined by the SOAP stack you're using and its WS-Security implementation.

Please BeForthrightWhenCrossPostingToOtherSites: https://forums.oracle.com/thread/2559597
 
Rithanya Laxmi
Ranch Hand
Posts: 191
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks. How we need to go about it? Can't we define the username and password to be used in the WS-Policy? I am getting the username & password from the SOAP header using the below:-

Map map=(Map)msgctxt.get(MessageContext.HTTP_REQUEST_HEADERS);
List username=(List)map.get("Username");
List password=(List)map.get("Password");
System.out.println(username.get(0));
System.out.println(password.get(0));

How we can set the password in the .wsdl file for the respective
<sp:WssPassword>${pass_token}</sp:WssPassword> ?

Please clarify.

 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I mentioned before, the WS-Policy (and thus the WSDL) do not contain the username or password.

And more importantly, WS-Policy is used for specifying username tokens as implemented by WS-Security, whereas your code seems to want to read username and password from HTTP headers. That's something entirely different, and, from the looks of it, completely nonstandard. It's certainly not how WS-Security (and thus WS-Policy) work.

Where did you get the idea that you could use usernames and passwords like that?
 
Rithanya Laxmi
Ranch Hand
Posts: 191
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks. Below is the URL I was going through:-

http://docs.oracle.com/cd/E19182-01/821-0015/ghlia/index.html

How we can go about it to get the username & password? I was thinking to include a UI which prompts the user to enter the uname/password, that will be set in the HTTP headers to be used for any transaction? If you dont want to go with that idea is there a better way to get the uname/pwd without that been explictly set in the HTTP headers? Is there any alternative to it? Please clarify.

 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not sure, I suggest you work through that tutorial from the start. It contains various things and dependencies that are not standard (GlassFish, NetBeans, "Access manager" - whatever that is, etc.), so it's hard to make sense of it.
 
Kesava Krishna
Ranch Hand
Posts: 44
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Laxmi,

Before I suggest you a better approach want some light on the below items.
1)Are you planning to apply message level security,
2)If not do you want to transport username and password over the message.

Based on your confirmation I can suggest you better.

Thanks,
Kesava
 
Rithanya Laxmi
Ranch Hand
Posts: 191
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Kesava.

I want to do the below:-

"2)If not do you want to transport username and password over the message."

How we can go about it to get the username & password? I was thinking to include a UI which prompts the user to enter the uname/password, that will be set in the HTTP headers to be used for any transaction? If you dont want to go with that idea is there a better way to get the uname/pwd without that been explictly set in the HTTP headers? Is there any alternative to it? Please clarify.

 
Kesava Krishna
Ranch Hand
Posts: 44
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Laxmi,

One way is to put the username and password in soap headers. I understand you want to place the username and pwd in http headers and carry across the transactions and retreive them using request.getHeaders(). But since you want to transport the credentials as part of web service call to the service provider you need to attach them in soap header as opposed to http header.
If you use soap UI you should see them appended in the <soap:header> part

Thanks,
Kesava.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kesava Krishna wrote:But since you want to transport the credentials as part of web service call to the service provider you need to attach them in soap header as opposed to http header.

While I'm all in favor of using SOAP mechanisms (like WS-Security), this seems a very fine distinction to make. The HTTP headers are also part of the call, and available in an HTTP-based SOAP engine such as we're talking about.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!