Win a copy of Rust Web Development this week in the Other Languages forum!

Alan Richardson

Greenhorn
+ Follow
since Mar 05, 2007
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
1
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Alan Richardson

Hello all,

In need to encrypt the body of SOAP messages on a service. I'm using Axis2 so therefore I'm working through some of the Rampart examples to try and understand how it can be applied in Axis.

Sample 03 is perhaps the closest to what I want to do, so I'm focusing on that. However I can't seem to get it to work correctly. As I understand it the message sent to the service should have an encrypted body, correct? (the RecipientToken has a X509Token, and <body/> is specified in the encryptedParts element).

The readme/policy files are here: https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-samples/policy/sample03/

The security header is included in the message, the service is invoked and no errors are thrown *but* I'm not seeing an encrypted body in SOAP Monitor and I'm not sure why. Any ideas what might be going on here?

Here is the request message (how I'm seeing it in SOAP Monitor) (I've cut the <CipherValue> short to make it more readable):




This is how I'm invoking the service:



[ September 11, 2007: Message edited by: Alan Sunley ]
[ September 11, 2007: Message edited by: Alan Sunley ]
14 years ago
A few questions, if I may:

If I define protected areas in the web.xml, does that mean I have to implement a login-config as well? i.e a FORM login.

Using JAAS in a servlet, like I originally did, is that not considered 'container-based authentication'? (and therefore I'm not able to call isUserInRole()? ).


I'm thinking that my best approach at the moment is to go with my original JAAS servlet and, if the user is authenticated, store the Subject as a session attribute. Then attach a filter to the servlets that access 'protected' areas, which checks the session subject attribute for the required role. (most access to protected resources in my webapp is through servlets, rather than direct url links).

Would that be bad practice though?
14 years ago
I'm using Tomcat 5.5 and have a JAASRealm set in META-INF/context.xml:



If the JAASRealm is being used I don't understand why isUserInRole() won't work.
[ September 09, 2007: Message edited by: Alan Sunley ]
14 years ago
Thanks Rahul,

Yes, I've defined a protected resource in web.xml. I've experimented with FORM based login and it works, that is isUserInRole() and getUserPrincipal() works as it should.

The thing is, in the web application rather than trying to access a protected resource directly, via a url link, a user first goes to a login page to access the resource - the servlet authenticates the user then forwards to the appropriate url, at least that's how I want it to work (I can access the forwarded page, but trying to access other pages in the protected area fails). With FORM I can't access the login page directly.
14 years ago
Hello all,

I'm attempting to perform a JAAS login via a servlet. I'm not using a FORM based login, but I'm passing the username and password as request parameters. I'm going off examples in the Java Servlet & JSP Cookbook, but here is a code snippet:



The authentication works and my custom LoginModule class sets separate User and Role Principals in the Subject, however it doesn't seem to be maintained in the session - when I try to access other pages in the protected resource it won't let me. Calling request.isUserInRole(), getUserPrincipal() returns false and null, respectively.

Is there a session attribute I have to manually set when authentication succeeds, for this to work? Or shouldn't JAAS do that automatically?
14 years ago
Hi folks,

I'm using a proxy to allow an Ajax web application to send SOAP requests to an external server. At the moment I'm using a simple JSP scriptlet to forward the requests but I'm experiencing an odd problem � if I run the web server within the Eclipse IDE ( using a Tomcat runtime) it functions, I can send the request and a response from the external webserver is eventually received back to Ajax web app. However although it works I do receive the following output to the console:



Now if I run application in a standalone Tomcat server (not in eclipse ), then I'm hit with the following error:

java.io.IOException: Server returned HTTP response code: 500 for URL: http://webhost:8085/axis2/services/UserService

Yet the web service works fine in the first instance ( in Eclipse ).

I'm honestly stumped, any insight into what I may be doing wrong here would be greatly appreciated.

This is the proxy code I'm using:


[ April 04, 2008: Message edited by: Alan Sunley ]
14 years ago
JSP
I've been experimenting with the RPCServiceClient above and find that I can successfully invoke the service from a java application, but not from within a Tomcat webapp.

It doesn't like that I pass a filled Object array containing the webservice method arguments.



However I can pass an empty Object array ( Object[] operationArguments = new Object[] { }; ) without problem. Not particularly useful since I do need to pass arguments.

Are there any know issues invoking a service this way?


Full error trace:

14 years ago
I'm attempting to use the following (based on the example 11 provided with Rampart 1.1), with no joy.






I receive the following error:
java.lang.NullPointerException at com.ctc.wstx.sw.BaseNsStreamWriter.doWriteDefaultNs(BaseNsStreamWriter.java:528)

I can't find much information about this, although I'm actually receiving the same error when sending non-authenticated messages, so the problem may not be related directly to Rampart. (I originally had Axis2-1.2 running but I had to roll back to Axis2-1.1.1 due to Rampart compatibility).

Any ideas?

[ May 21, 2007: Message edited by: Alan Sunley ]
[ May 21, 2007: Message edited by: Alan Sunley ]
14 years ago
I have a front-end website which consumes the services so when a user inputs a username and password it is saved in a session bean and bundled with each request. Hence the 'user.getUserName()' from the snippet of code above.

Might there be a way of using descriptors for multiple users?
14 years ago
Hi folks,

Does anyone know how to set up handlers and apply a username/password header to a SOAP message using an Axis2 based client?

For instance in Axis 1 I can do the following:



Is it possible to do something similar with the Axis2 / Rampart API? I can only find examples that retrieve the username/password information from XML based descriptors.
14 years ago
Thanks Ben

The referer variable is exactly what I need
14 years ago
JSP
Hi folks,

This seems to be a relatively simple problem but being somewhat new to JSP I'm not sure how this is typically handled.

Basically is there a way in JSP to return to the previous page (rather than using Javascript)? I want to place 'Back' buttons on pages, and more importantly I have an error-handling page, which in some circumstances I would like to return the user to the page they were previously viewing.
14 years ago
JSP
There is a SAAJ example supplied with Axis which constructs a SOAPMessage and passes it to the call method. However I need to implement authentication I'm not sure how I would handle the security headers this way, would it mean implementing it by hand?

Presumably the code below is adding an attachment, but the same problem occurs.


[ March 09, 2007: Message edited by: Alan Sunley ]
14 years ago
Hi again. I have hit a problem with the web service I am creating. I need to invoke a method which includes as a parameter a PDF file. Below is the code I'm using to send the file, and I can send small files (largest I have sent is 12kb), but beyond that file size I get 'java.lang.ArrayIndexOutOfBoundsException: 8192', meaning the end-of-file cannot be reached. Any ideas of what the limiting factor is here, and any possible solution?


14 years ago
Looking at the deployment descriptor, would that mean I need to know which users will access the service as you have defined a user, or have I misunderstood how that works? I'm also still not sure how to define a non- WS-sec handler. I'm still wearing my rookie badge as you may tell.

On reflection I think it would be best to authenticate each message because, as you say it is a better security practice, although I also don't want to leave my understanding of this issue unresolved.
14 years ago