Karl is right
Majority of architects would design a solution which would authenticate at
initial entry point either
1) the webserver or
2) customer-facing servlet (which would implement the NTLM provider with
HttpClient...)
BUT:
Lets say you're a Scandanavian Mobile Phone manufacturer and you want to open
up a direct SOAP interface for your high profile clients (e.g. BestBuy and or
Staples)
you can achieve a secure soap service with rahas and rampart Axis modules
Here is a sample service configurator that comes with Rampart security module
(named s5-services.xml)
<service name="SecureService">
<module ref="rampart"/>
<module ref="rahas"/>
<parameter locked="false"
name="ServiceClass">org.apache.rahas.Service</parameter>
<operation name="echo">
<messageReceiver
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
<actionMapping>urn:echo</actionMapping>
</operation>
<parameter name="saml-issuer-config">
<!-- start NTLM specific -->
<saml-issuer-config>
<issuerName>Test_STS</issuerName>
<issuerKeyAlias>ip</issuerKeyAlias>
<issuerKeyPassword>password</issuerKeyPassword>
<cryptoProperties>
<crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
<property
name="org.apache.ws.security.crypto.merlin.file">rahas-sts.jks</property>
<property
name="org.apache.ws.security.crypto.merlin.keystore.password">password</property>
</crypto>
</cryptoProperties>
<timeToLive>300000</timeToLive>
<keySize>256</keySize>
<addRequestedAttachedRef />
<addRequestedUnattachedRef />
<!-- code a new Java Class which would implement SAMLCallbackHandler and
implement NTLM auth -->
<dataCallbackHandlerClass>org.apache.rahas.SAMLDataProvider</dataCallbackHandlerClass>
<!--
Key computation mechanism
1 - Use Request Entropy
2 - Provide Entropy
3 - Use Own Key
-->
<keyComputation>2</keyComputation>
<!--
proofKeyType element is valid only if the keyComputation is set
to 3
i.e. Use Own Key
Valid values are: EncryptedKey & BinarySecret
-->
<proofKeyType>BinarySecret</proofKeyType>
<trusted-services>
<service
alias="bob">http://localhost:5555/axis2/services/SecureService</service>
<service
alias="bob1">http://localhost:5555/axis2/services/SecureService1</service>
<service
alias="bob2">http://localhost:5555/axis2/services/SecureService2</service>
<service
alias="bob3">http://localhost:5555/axis2/services/SecureService3</service>
<!-- you can change the PortNumber but you will need to update the
following Server and Client files -->
.\src\main\java\org\apache\axis2\integration\UtilServer.java
.\src\main\java\org\apache\axis2\integration\UtilsTCPServer.java
.\src\main\java\org\apache\rahas\TestClient.java
<!-- end file listing with hardcoded Port numbers -->
</trusted-services>
</saml-issuer-config>
</parameter>
<parameter name="InflowSecurity">
<action>
<items>UsernameToken Timestamp</items>
<!-- custom Callback class implements
javax.security.auth.callback.CallbackHandler for incoming requests -->
<passwordCallbackClass
xmlns="">org.apache.rahas.PWCallback</passwordCallbackClass>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Timestamp</items>
<user>ip</user>
<!-- custom Callback Class implements
javax.security.auth.callback.CallbackHandler for outgoing responses -->
<passwordCallbackClass
xmlns="">org.apache.rahas.PWCallback</passwordCallbackClass>
<enableSignatureConfirmation>false</enableSignatureConfirmation>
</action>
</parameter>
</service>
More information on implementing custom security providers in rampart available
at
http://axis.apache.org/axis2/java/rampart/
Viel Gluck!
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
________________________________
> From: [email protected]
> To: [email protected]; [email protected]
> Subject: RE: [axis2] NTLM v2 Authentication using Apache Axis2 Java Client
> Date: Fri, 1 Mar 2013 13:25:10 +0000
>
>
> The HttpComponents/HttpClient implementation of NTLM contains modern
> and tested support for this functionality. I have no idea what the
> Axis implementation is based on, but probably it is extremely old and
> out of date.
>
>
>
> Karl
>
>
>
> From: ext [email protected] [mailto:[email protected]]
> Sent: Friday, March 01, 2013 6:45 AM
> To: [email protected]; [email protected]
> Subject: [axis2] NTLM v2 Authentication using Apache Axis2 Java Client
>
>
>
> Hi All,
>
>
>
> I am using Apache Axis2 v1.6.2 for generating the web service code
> using wsdl2java utility.
>
> The web service I am trying to connect uses NTLM v2 authentication (
> using
> org.apache.axis2.transport.http.HttpTransportProperties.Authenticator
> - Authenticator.NTLM).
>
>
>
> The client code I am using always returns me back “401 – Unauthorized”
> response.
>
> I have browsed through different site, but did not get any help.
>
>
>
> Can anybody suggest me how can this issue be fixed?
>
>
>
> Thanks & Regards
>
> Ajaya Kumar Senapati
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
