Friday, January 1, 2010

Axis2 Authentication

The servlet specification provides four authentication mechanisms for any web application. Therefore any web services engine which receives http requests through a servlet can use those authentication mechanisms. Here is how you can do BASIC and DIGEST authentication with Apache Axis2 deployed under tomcat.

Axis2 war distribution is a standard web application. This war distribution contains a web.xml and within it there is a servlet called AxisServlet which is used to receive the http requests.

Configuring the war distribution.
First the following should add to the web.xml file to protect the AxisServlet from the anonymous access.

<login-config>
<!-- <auth-method>BASIC</auth-method> -->
<auth-method>DIGEST</auth-method>
<realm-name>default</realm-name>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Resource</web-resource-name>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>

then add the following to the tomcat-users.xml



Now the servlet is protected and Lets see how to provide the credentials when accessing the service. This is in fact done by using the functionality available with the commons http client.

ServiceClient serviceClient = new ServiceClient();
serviceClient.setTargetEPR(new EndpointReference("http://localhost:8080/axis2/services/Version/getVersion"));
serviceClient.getOptions().setAction("urn:getVersion");

HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator();
authenticator.setUsername("tomcat");
authenticator.setPassword("tomcat");

serviceClient.getOptions().setProperty(HTTPConstants.AUTHENTICATE, authenticator);
serviceClient.sendReceive(null);

This request can be send through a tcpmon to understand how this authentication works. First Axis2 client sends a normal request and tomcat server returns an Unauthorized response with the required authentication method.

HTTP/1.1 401 Unauthorized

Server: Apache-Coyote/1.1

WWW-Authenticate: Digest realm="default", qop="auth", nonce="6da725c4d901eee87d2ad49cadbac74a", opaque="37629e27fec9bfaf38063bc3ab65f12d"


After receiving this Axis2 client sends another request with the authentication details.

2 comments:

Anonymous said...

Hello Amila
i have a problem with setting axis2 client, how to use one axis2 client with difference authenticate parameters

i have posted in
http://old.nabble.com/axis2-client-how-to-disable-cache--td27772148.html#a27780590

if you will have some free minutes please read it

Anonymous said...

Amila, how would one go about accessing the login named used with basic auth from a web service operation?

thanks.