String username = messageContext.getUsername();
if(StringUtils.isBlank(username))
{
LOGGER.debug ("Request provides no credentials.");
throw new AxisFault( "Server.Unauthenticated",
Messages.getMessage("cantAuth00", username),
null, null );
}
Criteria criteria = session.createCriteria(User.class);
criteria.add(Restrictions.eq("loginId", username));
String hashedPassword = User.hashPassword (messageContext.getPassword());
criteria.add(Restrictions.eq("passwordHash", hashedPassword));
User user = (User)criteria.uniqueResult();
if(user != null)
{
Hibernate.initialize(user.getClientHiers());
Hibernate.initialize(user.getFeatures());
Hibernate.initialize(user.getRoles());
messageContext.setProperty (MessageContext.AUTHUSER, user);
LOGGER.debug("Credentials authenticated.");
}
else
{
LOGGER.debug("Credentials not authenticated.");
throw new AxisFault( "Server.Unauthenticated",
Messages.getMessage("cantAuth01", username),
null, null );
}
On 4/28/06, Kevin O'Rourke <[EMAIL PROTECTED]> wrote:
I tried just issuing a fault, but that seemed to send a SOAP Fault back
to the client rather than sending a 401. Maybe I need to send a
particular fault code?
By the way, I'm using Axis 1.3.
I've got it working just now in what seems like a bit of a hack,
modifying HttpAuthHandler to send a 401 if the username and password are
missing:
String tmp =
(String)msgContext.getProperty(HTTPConstants.HEADER_AUTHORIZATION);
if ( tmp != null ) tmp = tmp.trim();
if ( tmp != null && tmp.startsWith("Basic ") ) {
...
} else {
HttpServletResponse response =
(HttpServletResponse)msgContext.getProperty(
HTTPConstants.MC_HTTP_SERVLETRESPONSE );
response.addHeader("WWW-Authenticate",
"Basic realm=\"NtiAuth\"");
try {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} catch (IOException e) {
throw AxisFault.makeFault(e);
}
}
I'm using an underlying Servlet method to send the error, is this
allowed from an Axis web service? It seems to work but I'm worried that
it may cause mysterious bad things to happen.
Kevin.
Rich Rodriguez wrote:
> My authentication handler is just an modified version of the
> SimpleAuthenticationHandler that ships with Axis to hit my user table.
> To be honest, I'm not totally clear on the interaction between that
> handler and the HttpAuthHandler. My auth handler issues a fault if the
> user and password are not in the context, and Axis issues a 401 to the
> client.
>
> On 4/28/06, *Kevin O'Rourke* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
> Thanks for the information. Just to be sure I understand:
> - you have written your own AuthenticationHandler class and added it as
> a handler in server-config.wsdd
> - you have added the HTTPAuthHandler to the "http" transport flow in
> server-config.wsdd
> - in your services' .wsdd file you have added the "Authenticate" handler
> to the request flow.
>
> Is that correct?
>
> So it looks like I need to write my own handler class to send back a
> 401
> error to the client if no username and password are supplied.
>
> I would have expected that functionality to be part of the
> HTTPAuthHandler, seeing as it's a part of HTTP/Basic authentication.
>
> Rich Rodriguez wrote:
> > The auth handler I have is defined outside the service as:
> >
> > <handler name="Authenticate"
> > type="java: my.custom.AuthenticationHandler"/>
> >
> > The transport request flow is defined as:
> >
> > <requestFlow>
> > <handler type="URLMapper"/>
> > <handler
> > type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
> > </requestFlow>
> >
> > And each service has a request flow of:
> >
> > <requestFlow>
> > <handler type="Authenticate"/>
> > </requestFlow>
> >
> >
> > On 4/27/06, *Kevin O'Rourke* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>
> > <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote:
> >
> > I'm trying to do authentication for my Axis web service using
> HTTP/Basic
> > over SSL, as this seemed to be the easiest option. The client is
> > written in Visual Basic .Net 2005.
> >
> > I've added the HTTPAuthHandler to my WSDD file:
> > ...
> > <service name="NtiAuth" provider="java:RPC">
> > <requestFlow>
> > <handler type="java:
> org.apache.axis.handlers.http.HTTPAuthHandler"/>
> > <handler type="soapmonitor"/>
> > </requestFlow>
> > <responseFlow>
> > <handler type="java:
> org.apache.axis.handlers.http.HTTPAuthHandler"/>
> > <handler type="soapmonitor"/>
> > </responseFlow>
> > ...
> >
> > However no authentication is happening. The VB.Net client
> seems to be
> > waiting for a "401 WWW-Authenticate Basic" error from the
> server, to
> > indicate that the server wants authentication. Axis isn't
> sending a
> > 401
> > but is instead just happily giving me a null username and
> password.
> >
> > Does anyone know how I can persuade Axis to send back a 401 error?
> >
> > Kevin
> >
> >
>
>
