3 Replies Latest reply on Dec 4, 2006 11:22 AM by Marcel van Velzen

    Authorization failure .NET client to secured Webservices

    Marcel van Velzen Newbie

      Hi,

      I am sorry for this posting, since I think this has been asked many many times. I have read all the related topics and tried many things, but still I cannot make my .NET client connect to my JBoss 4.0.5GA Webservices. My Visual Basic 2005 .NET client gives the error 'Authorization failed'. When I use @PermitAll it works fine. I really hope somebody can help me, since I have an idea what to do next.

      What have I done:

      1) Specified @SecurityDomain("AthenaWS") in the Webservice and added @RolesAllowed("RegularUser") for all methods. The annotations of the class start with:

      @WebService (name="ApplicationEndPoint", serviceName="Application", targetNamespace = "http://address:8080/athenaserver")
      @SOAPBinding (style=SOAPBinding.Style.DOCUMENT, use=SOAPBinding.Use.LITERAL, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED)
      @Stateless
      @Remote(ApplicationRemote.class)
      @RemoteBinding(jndiBinding = "/ejb3/ApplicationEndPoint")
      @SecurityDomain("AthenaWS")
      public class etc

      2) Added the following text to JBOSS_HOME/server/default/conf/login-config.xml:

      <!-- A template configuration for the AthenaWS web application (and transport layer!).
      This defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      -->
      <application-policy name="AthenaWS">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="usersProperties">props/athenaws-users.properties</module-option>
      <module-option name="rolesProperties">props/athenaws-roles.properties</module-option>
      <module-option name="unauthenticatedIdentity">anonymous</module-option>
      <module-option name="hashEncoding">base64</module-option>
      <!--
      <module-option name="hashAlgorithm">MD5</module-option> (when basic works, I want to use digest authentication)
      -->
      </login-module>

      </application-policy>

      3) Placed athenaws-users.properties in the JBOSS_HOME/server/default/conf/props, this has the following contents:

      velzm=secret

      4) Placed athenaws-roles.properties in the JBOSS_HOME/server/default/conf/props, this has the following contents:

      velzm=RegularUser

      5) Downloaded Visual Basic 2005 Express Edition and SDK 2.0. I am using InfoPath 2007 but this cannot work with JBoss secured webservices directly, only using SharePoint Server this should be possible using UDC reading the documentation. However, I don't want this additional layer, so I am trying to make a work-a-round. I am using the tool wsdl.exe to generate a Visual Basic class for the webservice. Later when this works, I want to see if it possible to generate JavaScript code and embed this in the InfoPath form, so distribution no problem. With VB I must distribute the dll, which would suck.

      6) Extended the generated VB webservice class, since preAuthenticate according to the topics gives problem. The VB code is:

      Option Explicit On

      Imports System
      Imports System.IO
      Imports System.Net
      Imports System.Text

      Public Class ApplicationWS
      Inherits Application

      Private nc As NetworkCredential = Nothing

      Protected Overrides Function GetWebRequest(ByVal Uri As Uri) As System.Net.WebRequest
      Dim request As System.Net.HttpWebRequest = MyBase.GetWebRequest(Uri)

      If (MyBase.PreAuthenticate) Then
      Dim nc As System.Net.NetworkCredential = MyBase.Credentials.GetCredential(Uri, "Basic")
      Dim credBuf() As Byte = New System.Text.UTF8Encoding().GetBytes(nc.Domain + "\" + nc.UserName + ":" + nc.Password)

      If Not credBuf Is Nothing Then
      request.Headers("Authorization") = "Basic " + Convert.ToBase64String(credBuf)
      End If
      End If

      GetWebRequest = request
      End Function

      Public Overloads Function getExchanges() As String()
      Dim parms As New getExchanges

      Return MyBase.getExchanges(parms)
      End Function

      Public Sub New()
      MyBase.New()
      MyBase.PreAuthenticate = False
      End Sub

      Public Sub New(ByVal domain As String, ByVal user As String, ByVal password As String)
      MyBase.New()
      MyBase.Credentials = New NetworkCredential(user, password, domain)
      MyBase.PreAuthenticate = True
      End Sub
      End Class

      7) Testing the stuff, by the following VB code:

      Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
      Dim application As New ApplicationWS("AthenaWS", "velzm", "secret")
      Dim count As Integer
      Try
      Dim exchanges() As String = application.getExchanges()
      For count = 0 To exchanges.Length - 1
      Console.WriteLine(exchanges(count))
      Next count
      Console.Beep()
      Catch ex As Exception
      MsgBox("ex=" + ex.Message)
      End Try
      End Sub

      This results in the message 'Authorization failure'. What's wrong ?

      - In JBoss 4.0.5GA I don't see an annotation of validateUnauthorizedTrue, so I cannot set this to true.

      Question which I have, is this option still necessary to set in JBoss 4.0.5GA ?

      - JBOSS_HOME/server/default/logs/server.log shows the following line:
      2006-12-02 09:18:20,062 DEBUG [jbossws.SOAPMessage] Incomming SOAPMessage
      <soap:Envelope xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
      <soap:Header/>
      <soap:Body>

      </soap:Body></soap:Envelope>

      Question which I have, where is the authentication header ?? I have used the debugger for overridded function GetWebRequest and this is called correctly, but is it not sending the information ? Or is it sending the information, but not showing up in the log ?

      I really need some suggestions, since I am stuck.

      Thanks in advance,

      Marcel van Velzen

        • 1. Re: Authorization failure .NET client to secured Webservices
          Marcel van Velzen Newbie

          Correction, the JBOSS_HOME/server/default/logs/server.log shows the following line:

          2006-12-02 09:18:20,062 DEBUG [jbossws.SOAPMessage] Incomming SOAPMessage
          <soap:Envelope xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
          <soap:Header/>
          <soap:Body>

          </soap:Body></soap:Envelope>

          • 2. Re: Authorization failure .NET client to secured Webservices
            Colin Boatwright Newbie

            I didn't notice a @PortComponent annotation, like:

            @PortComponent(authMethod="BASIC", urlPattern="/contextHere/athenaserver",transportGuarantee="CONFIDENTIAL")
            


            Also, I'm guessing you are using the Tomcat that comes with 4.0.5.GA? If so, you should also remember to set the restrictedUserAgents attribute on the connector:

             <Connector port="443" address="${jboss.bind.address}"
             maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
             emptySessionPath="true"
             scheme="https" secure="true" clientAuth="false"
             keystoreFile="${jboss.server.home.dir}/conf/keystore_tiger"
             keystorePass="--" sslProtocol = "TLS"
             restrictedUserAgents="^.*MS Web Services Client Protocol.*$"/>
            


            I'm not a VB expert so I cannot comment on that. I've used the express edition to test my secure Web services and things work just fine. I have something like:

             Dim proxy As New HelloWorldWs.HelloWorldService
            
             Try
             proxy.PreAuthenticate = True
             proxy.Credentials = New NetworkCredential("colin1", "myPass")
            
             Dim result As String
             result = proxy.echoString("J", "Scott")
             MsgBox(result)
             Catch ex As Exception
            
             MsgBox(ex.Message)
            
             End Try
            
            


            Hope this helps spark some thoughts to discover your problem.


            • 3. Re: Authorization failure .NET client to secured Webservices
              Marcel van Velzen Newbie

              Thanks, it now works !!

              What I added was the portcomponent, I specified:

              @PortComponent(authMethod="BASIC", transportGuarantee="NONE")

              At the moment I am not interested in SSL communication.

              Also I don't use Tomcat, but thanks for the advice, perhaps in the future.

              In my VB code, I removed the domain login, since user/password as in your VB example works perfectly.

              In the VB code, it was necessary to override GetWebRequest, otherwise the first call would result in a HTTP 505 error.

              Now I am able to finish my dll, include it in the InfoPath form (and add the cabinet file) and access my webservices via authentication.

              Thanks !