Announcement Announcement Module
Collapse
No announcement yet.
how can non-interactive clients login and access protected resources? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • how can non-interactive clients login and access protected resources?

    Hi

    I have a collection of web services that make calls to each other passing XML. The URLs they access are protected. Can anyone suggest an easy way to set up the system so that these non-interactive clients can programmatic access my protected resources.

    The non-interactive clients are written in both Java and PHP. I need to make it brain dead easy for the client programmers.

    thanks in advance

    Andy

  • #2
    One option is to use basic authentication over https. Other options include X509, OAuth, CAS proxy tickets, etc.

    Comment


    • #3
      Thanks for the suggestion.

      I played around with http-basic yesterday. but did not get very far. I do not have a good example of what / how the http headers work, with spring. I guess I will need something like wireshark to see exactly what gets sent, and returned?

      Here is the response I get when I try to access a protected resource

      [info] using http
      [info] list of response headers
      null: [HTTP/1.1 401 Unauthorized]
      WWW-Authenticate: [Basic realm="Spring Security Application"]
      Date: [Wed, 23 Mar 2011 19:15:32 GMT]
      Content-Length: [1119]
      Set-Cookie: [JSESSIONID=DCBA0A955B9EE1A89B197C8CABF0D080; Path=/PropertyListService]
      Content-Type: [text/html;charset=utf-8]
      Server: [Apache-Coyote/1.1]
      [info] response message
      Unauthorized
      Server returned HTTP response code: 401 for URL: http://localhost:8080/PropertyListService/Select

      My assumption is I need to resend my orginal request. the session cookie, and base64encode(username+":"+password)), encode value needs to be set the header

      Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

      My guess is I am going to get back the results from original request, plus some new cookies?

      I have customized the authentication manager

      <authentication-manager alias="authenticationManager">
      <authentication-provider user-service-ref="jdbcUserService">
      <password-encoder ref="passwordEncoder">
      <salt-source ref="saltSource" />
      </password-encoder>
      </authentication-provider>
      </authentication-manager>

      so that it works with a legacy rdbms. Will I have tweak anything if I switch from <form-login> to <http-basic>

      This might be a great recipe to add to the FAQ section.

      thanks in advance


      Andy

      Comment


      • #4
        Originally posted by bangzippy View Post
        My assumption is I need to resend my orginal request. the session cookie, and base64encode(username+":"+password)), encode value needs to be set the header

        Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
        Yes...did you try it?

        Originally posted by bangzippy View Post
        My guess is I am going to get back the results from original request, plus some new cookies?
        Yes...did you try it?


        Originally posted by bangzippy View Post
        so that it works with a legacy rdbms. Will I have tweak anything if I switch from <form-login> to <http-basic>
        No...did you try it?

        Comment


        • #5
          After playing around, It looks like the easiest thing to is pre-emptively send the authentication header

          It adds some over head on the server. How ever I need to make things as brain dead simple as possible for the client programmers. In the future I'll provide them when a programming language specific lib that handles the session cookie, ...

          import org.apache.commons.codec.binary.Base64;
          HttpURLConnection connection;

          ...

          if (loginUserId != null && password != null) {
          // create base64 encoding of password
          String basic = loginUserId + ":" + password;
          byte[] bytes = basic.getBytes();
          Base64 base64 = new Base64();
          basic = base64.encodeToString(bytes);
          connection.setRequestProperty("Authorization", "Basic " + basic.trim());
          }

          thanks

          Andy

          Comment


          • #6
            Not sure what technology your client programmers are using, but most modern languages with HTTP clients handle HTTP basic authentication natively...

            Comment


            • #7
              I would really appreciate a java and php example

              thanks

              Andy

              Comment

              Working...
              X