-
1. Re: Passing username/password to webservice using from Teiid
rareddy Mar 19, 2015 8:40 AM (in response to sanjay_chaturvedi)I know you said NT credentials, but kind of authentication? Is it kerberos, OAuth, SAML etc?
-
2. Re: Passing username/password to webservice using from Teiid
sanjay_chaturvedi Mar 19, 2015 10:12 AM (in response to rareddy)Thanks for picking this Ramesh.
It is an internal SharePoint webservice where they have granted us the access..it must be one out of kerberos or OAuth. We have credentials to enter when hitting that service in browser to get the result.
I can see Authentication header in request with some random value but no SSO token in request or header.
Is it providing some hint ?
-
3. Re: Passing username/password to webservice using from Teiid
rareddy Mar 19, 2015 11:26 AM (in response to sanjay_chaturvedi)Not really. What does the "Authentication" header say when you put in the password and send the login request just before the random number?
-
4. Re: Passing username/password to webservice using from Teiid
sanjay_chaturvedi Mar 19, 2015 1:07 PM (in response to rareddy)Confirmed..header say NTLM,
I asked and got to know that it is actually NTLM authentication window integrated.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749%28v=vs.85%29.aspx
-
5. Re: Passing username/password to webservice using from Teiid
rareddy Mar 19, 2015 2:37 PM (in response to sanjay_chaturvedi)Ok, there are multiple hurdles in this.
- JBoss EAP 6.x does not support NTLM, nor Teiid provides any NTLM support.
- JBoss does support SPNEGO, that can be used for kerberos, and Teiid supports participating in kerberos. For negotiation you can see [1]
Also, how are you logging into Teiid? Just user, password? The flow is client (that logged into domain controller) makes connection to Teiid server, Teiid server in turn need to delegate this userid, password in specific protocol manner to underlying service.
- Teiid JDBC driver does not support NTLM, that means you can not automatically pass the user/password from your client application. Solution here is to manually passing in the userid, password
- In the JBoss EAP, you would need to write LoginModule that understands NTLM protocol, and can talk to the domain controller based on the logged in user's userid, password
- Then you need to extend the "ws" translator, so that it can insert the Authorization header into the request.
3 is easy, 2 is one needs work. You can use libraries like [2] or [3] to implement the solution. If you get solution working, I can consider accepting as contribution. ( I guess you guys owe atleast that much )
The alternative is to see if your company want to expose service with kerboeros authentication instead of NTLM as Kerberos is preferred over NTLM anyway.
[3] ntlm-java - NTLM implementation for java - Google Project Hosting
-
6. Re: Passing username/password to webservice using from Teiid
rareddy Mar 23, 2015 1:16 PM (in response to rareddy)1 of 1 people found this helpful -
7. Re: Passing username/password to webservice using from Teiid
rareddy Mar 23, 2015 3:02 PM (in response to sanjay_chaturvedi)1 of 1 people found this helpfulSanjay,
Looking at [1] it indicates that Java 6 has built-in support NTLM. There is simple example here [2]. Another useful tip I found at [3] is
"On Microsoft Windows platforms, NTLM authentication attempts to acquire the user credentials from the system without prompting the user's authenticator object. If these credentials are not accepted by the server then the user's authenticator will be called."
But above may be only true for HTTP invocations. [4] shows a sample for LoginModule, similar to that needs to be written for JBoss.
[1] Apache CXF -- Client HTTP Transport (including SSL support)
-
8. Re: Passing username/password to webservice using from Teiid
sanjay_chaturvedi Mar 25, 2015 7:16 AM (in response to rareddy)Thanks for reply Ramesh.
I tried that service from browser and found that it passes header "Authorization" with value "NTLM <token>".
So I thought to attach this header value before making request in ws translator. Now here is two issue:
1. How to generate this NTLM token: I was looking at NTLM Authentication: Java Client Code | Java | MuneebAhmad.com and found that it is passing Authorization header with value "NTLM <token>". I found this token when I ran this program in debug mode and watch "conn" object when it start reading response.
I noticed:
This token is there inside conn object, under "requests (HttpUrlConnection): MessageHeader". When I try conn.getHeaderFields it is giving me response headers not
requests' one. Thu sI am not able to get this string i.e. value of "Authorization" header.
2. Adding this token as Authorization header before calling dispatch.invoke(ds); in subclass of BinaryWSProcedureExecution in case of custom wstranslator.
I tried this:
Map<String, List<String>> httpHeaders = (Map<String, List<String>>)dispatch.getRequestContext().get(MessageContext.HTTP_REQUEST_HEADERS);
httpHeaders.put("Authorization", Arrays.asList(new String[]{"NTLM <token>"}));
dispatch.getRequestContext().put(MessageContext.HTTP_REQUEST_HEADERS, httpHeaders);
dispatch.invoke(ds)
But here I have to have token atleaset to pass or any other way to set credentials before making this call. But I am not able to generate/extract that token value.
Setting our Authentoicator (as in example) in ws translator also didnt work.
Authenticator.setDefault(new Authenticator() {
@Override
public PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(domain + "\\" + userName, password.toCharArray());
}
});
Any idea?
-
9. Re: Passing username/password to webservice using from Teiid
rareddy Mar 25, 2015 3:57 PM (in response to sanjay_chaturvedi)First you need a LoginModule, based on link I gave above, use JCIFS library and use the subject that in the context or passed though the configuration of the login module. Once you have that, then you need to use this as "security-domain" on your "ws" resource-adapter. Then you need to figure out how convert the subject's credential into NTLM token in "ws" resource-adapter, not in translator.
-
10. Re: Passing username/password to webservice using from Teiid
sanjay_chaturvedi Apr 8, 2015 4:48 AM (in response to rareddy)Thanks for support, BTW custom ws-resource adapter would not be that much straight as it has final inner classes.
-
11. Re: Passing username/password to webservice using from Teiid
shawkins Apr 8, 2015 8:19 AM (in response to sanjay_chaturvedi)If you find a way to make your scenario work, then we should be able to include those changes or refactor so that an extension would be possible.
-
12. Re: Passing username/password to webservice using from Teiid
sanjay_chaturvedi Apr 16, 2015 8:41 AM (in response to shawkins)similarly, I guess we don't have any in build support for SSO authentication while calling web service in teiid ?
-
13. Re: Passing username/password to webservice using from Teiid
shawkins Apr 16, 2015 12:31 PM (in response to sanjay_chaturvedi)What do you mean by build support?
The latest versions of Teiid have been adding support for several SSO flows around kerberos.
-
14. Re: Passing username/password to webservice using from Teiid
rareddy Apr 16, 2015 3:02 PM (in response to shawkins)And OAuth 1.0 & OAuth2.0