Junior Member
how can non-interactive clients login and access protected resources?
Hi
I have a collection of web services that make calls to each other passing XML. The URLs they access are protected. Can anyone suggest an easy way to set up the system so that these non-interactive clients can programmatic access my protected resources.
The non-interactive clients are written in both Java and PHP. I need to make it brain dead easy for the client programmers.
thanks in advance
Andy
Senior Member
Spring Team
One option is to use basic authentication over https. Other options include X509, OAuth, CAS proxy tickets, etc.
Junior Member
Thanks for the suggestion.
I played around with http-basic yesterday. but did not get very far. I do not have a good example of what / how the http headers work, with spring. I guess I will need something like wireshark to see exactly what gets sent, and returned?
Here is the response I get when I try to access a protected resource
[info] using http
[info] list of response headers
null: [HTTP/1.1 401 Unauthorized]
WWW-Authenticate: [Basic realm="Spring Security Application"]
Date: [Wed, 23 Mar 2011 19:15:32 GMT]
Content-Length: [1119]
Set-Cookie: [JSESSIONID=DCBA0A955B9EE1A89B197C8CABF0D080; Path=/PropertyListService]
Content-Type: [text/html;charset=utf-8]
Server: [Apache-Coyote/1.1]
[info] response message
Unauthorized
Server returned HTTP response code: 401 for URL: http://localhost:8080/PropertyListService/Select
My assumption is I need to resend my orginal request. the session cookie, and base64encode(username+":"+password)), encode value needs to be set the header
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
My guess is I am going to get back the results from original request, plus some new cookies?
I have customized the authentication manager
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="jdbcUserService">
<password-encoder ref="passwordEncoder">
<salt-source ref="saltSource" />
</password-encoder>
</authentication-provider>
</authentication-manager>
so that it works with a legacy rdbms. Will I have tweak anything if I switch from <form-login> to <http-basic>
This might be a great recipe to add to the FAQ section.
thanks in advance
Andy
Senior Member
Spring Team
Yes...did you try it?Originally Posted by bangzippy
Yes...did you try it?
No...did you try it?
Junior Member
After playing around, It looks like the easiest thing to is pre-emptively send the authentication header
It adds some over head on the server. How ever I need to make things as brain dead simple as possible for the client programmers. In the future I'll provide them when a programming language specific lib that handles the session cookie, ...
import org.apache.commons.codec.binary.Base64;
HttpURLConnection connection;
...
if (loginUserId != null && password != null) {
// create base64 encoding of password
String basic = loginUserId + ":" + password;
byte[] bytes = basic.getBytes();
Base64 base64 = new Base64();
basic = base64.encodeToString(bytes);
connection.setRequestProperty("Authorization", "Basic " + basic.trim());
}
thanks
Andy
Senior Member
Not sure what technology your client programmers are using, but most modern languages with HTTP clients handle HTTP basic authentication natively...
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Junior Member
I would really appreciate a java and php example
thanks
Andy
Posting Permissions
Reply With Quote