4 Replies Latest reply on Jul 14, 2004 6:28 AM by Frank Heldt

    Authorization problem using .net client

    Eduard Hidalgo Newbie

      Hello,

      I'm developing a jboss.net webservice, with authentication and jboss-net.authorization feature. It works fine with a java client, but when it's called from a .net client, it always show: "Access denied".

      I've found that it's possible to specificate:

      validate-unauthenticated-calls ="true" in the authentication param:

      * @jboss-net.authentication domain="tras"
      * validate-unauthenticated-calls="true"

      All the references to this problem show that this is the solution, but:Â… I don't see any difference in the web-service.xml generated wth xdoclet as I include validate-unauthenticated-calls="true"

      This tag should generate special options in web-service.xml?
      I'm in the wrong way?

      I'm using jboss-3.2.3 and a xdoclet-module-jboss-net.jar with this manifest.

      Manifest-Version: 1.0
      Ant-Version: Apache Ant 1.5.3
      Created-By: 1.4.1_03-b02 (Sun Microsystems Inc.)
      Specification-Title: JBoss
      Specification-Version: 3.2.2
      Specification-Vendor: JBoss (http://www.jboss.org/)
      Implementation-Title: JBoss [WonderLand]
      Implementation-URL: http://www.jboss.org/
      Implementation-Version: 3.2.2RC5 (build: CVSTag=Branch_3_2 date=200310
      120839)
      Implementation-Vendor: JBoss.org
      Implementation-Vendor-Id: http://www.jboss.org/


      Thank you in advance

        • 1. Re: Authorization problem using .net client
          Lance Nehring Newbie

          I just spent about 5 painful hours working through various combinations or tags, looking at the JBoss wiki, and eventually the source code for JBossAuthenticationHandler and the contents of jboss-net_ejb_xml.xdt in the xdoclet-module-jboss-net.jar that I have.

          Turns out that my xdoclet-module-jboss-net.jar does NOT understand the "validate-unauthenticated-calls" tag. The default in the JBossAuthenticationHandler is "false". According to notes in the source code, one would set "validateUnauthenticatedCalls" to "true" to handle clients that cannot (or won't) pre-authenticate.

          Note: there is a page at:
          http://www.jboss.org/developers/guides/jboss.net/security that says just the opposite and states to set "validateUnauthenticatedCalls" to "false". This doesn't agree with the comments in the source code ..... this cost me must frustration and hair loss.


          So, to get to the point, you'll need to manually edit the "requestFlow" section of your "web-service.xml". You might start with the version that xdoclet generates and then fix up the "requestFlow" section similar to the following:

           <requestFlow name="MyRequest">
           <!-- authentication runs against the jaas:/other domain -->
           <handler type="java:org.jboss.net.axis.server.JBossAuthenticationHandler">
           <parameter name="securityDomain" value="java:/jaas/other"/>
           <parameter name="validateUnauthenticatedCalls" value="true"/>
           </handler>
           <!-- authorization runs against the jaas:/other domain -->
           <handler type="java:org.jboss.net.axis.server.JBossAuthorizationHandler">
           <parameter name="securityDomain" value="java:/jaas/other"/>
           <parameter name="allowedRoles" value="myrole"/>
           </handler>
           </requestFlow>
          


          I've run several tests with .Net and Perl SOAP::Lite clients and this works for me. Forget about using "this.PreAuthenticate = true;" in your .Net proxy class. It might pre-authenticate subsequent webservice calls (haven't tested that), but it will NOT pre-authenticate the first call. I've even seen posts on .Net sites about forcibly adding an authenticate header - but from my tests, .Net will silently remove any attempt to do that.

          Hope this helps,
          Lance

          • 2. Re: Authorization problem using .net client
            Eduard Hidalgo Newbie

            Cool!

            I've change it... and the .net client is now authenticating….
            Thanks for yout fast, precise and professional answer!

            Finally, your painfull five hours has been very userfull for our project! ;) and I this this thread should help other people with similar problems!

            Greetings from Barcelona!

            • 3. Re: Authorization problem using .net client
              Matthias Zint Newbie

              Hi there

              I get the following error message when I try to run this test program in JBoss 4.0.0DR4 ->
              "The request failed with HTTP status 401: Unauthorized."

              The example works well in JBoss 3.2.3

              Is there something that can be done about this ?? Has something changed in 4.0 or is this just an error that will be fixed in the final release ??

              cheers
              matt


              Extract from the WebService Session Bean

              /**
               * @ejb.bean name = "HelloWorld"
               * description = "simple HelloWorld Bean"
               * display-name = "HelloWorld EJB"
               * view-type = "remote"
               * jndi-name = "ejb/jbossnet/HelloWorld"
               *
               * @jboss-net.authentication domain="other"
               * validate-unauthenticated-calls="true"
               *
               * @jboss-net.authorization domain="other"
               * roles-allowed="normal,extended"
               *
               *
               * @jboss-net.web-service urn="HelloWorldEJB"
               */
              
              public class HelloWorldBean implements SessionBean {
              
               /**
               *
               */
               public HelloWorldBean() {
               super();
               }
              
               /**
               * Default create Exception
               * @throws CreateException
               * @ejb.create-method
               */
               public void ejbCreate() throws CreateException{
               }
              
               /**
               * HelloBean method
               * @param name
               * @return
               *
               * @jboss-net.web-method
               * @jboss-net.wsdd-operation
               * @ejb.permission role-name = "normal"
               * @ejb.interface-method view-type = "remote"
               */
               public String HelloBean(String name){
               return "Hello " + name;
               }


              users.properties
              admin=adminpwd


              roles.properties
              admin=normal,extended


              web-service.xml
              <requestFlow name="HelloWorldEJBRequest">
               <handler type="java:org.jboss.net.axis.server.JBossAuthenticationHandler">
               <parameter name="securityDomain" value="java:/jaas/other"/>
               <parameter name="validateUnauthenticatedCalls" value="true"/>
               </handler>
               <handler type="java:org.jboss.net.axis.server.JBossAuthorizationHandler">
               <parameter name="securityDomain" value="java:/jaas/other"/>
               <parameter name="allowedRoles" value="normal,extended"/>
               </handler>
               </requestFlow>
               <responseFlow name="HelloWorldEJBResponse">
               </responseFlow>


              c# client
              private void button_Click(object sender, EventArgs e)
               {
               localhost.HelloWorldService hws = new localhost.HelloWorldService();
               hws.PreAuthenticate = true;
               NetworkCredential login = new NetworkCredential("admin", "adminpwd");
               CredentialCache cache = new CredentialCache();
               cache.Add(new Uri(hws.Url), "Basic", login);
               hws.Credentials = cache;
              
               textBox.Text = hws.HelloBean("Test");
               }


              • 4. Re: Authorization problem using .net client
                Frank Heldt Newbie

                IMHO the problem with .NET is, that the PreAuthenicate Method doesn't work as expected. The first call
                is done without Authorization - Header, only subsequent calls get the right header.

                But you can workaround this easily with a little subclassing:

                using System;
                
                public class MyWebService : your.original.WebService {
                 protected override System.Net.WebRequest GetWebRequest(Uri uri) {
                 System.Net.HttpWebRequest request = (System.Net.HttpWebRequest)base.GetWebRequest(uri);
                 if (this.PreAuthenticate) {
                 System.Net.NetworkCredential nc = this.Credentials.GetCredential(uri,"Basic");
                 if (nc != null) {
                 byte[] credBuf = new System.Text.UTF8Encoding().GetBytes(nc.UserName + ":" + nc.Password);
                 request.Headers["Authorization"] = "Basic " + Convert.ToBase64String(credBuf);
                 }
                 }
                 return request;
                 }
                }
                
                class TestClient {
                 public static void Main(string[] args) {
                 MyWebService stub = new MyWebService();
                 stub.Credentials = new System.Net.NetworkCredential("admin","secret");
                 stub.PreAuthenticate = true;
                 Console.WriteLine("Call hello: " + stub.hello("MyName"));
                 }
                }
                
                


                I hope this little C# example helps you and others too.

                BTW: This was explained nicely on http://www.nsdev.org/jboss/stories/jboss-net.html, but this
                site seems down. Sad :-(