You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Peter Haensgen <P....@intershop.de> on 2002/08/15 14:30:32 UTC

HTTP Authentication not correctly handled in Axis

Hi there,

after playing and debugging with the simple authentication handler in Axis I
found out that:
- authentication only works if the client is a Java client, generated with
WSDL2Java
- authentication does NOT work if the client is a .NET client.

The reason is, in short, that Axis returns a "HTTP/1.1 500 Internal Server
Error" where it should return a "401 Unauthorized".

If authentication is required and the credentials are not part of the
request or wrong, a server normally responds with "HTTP/1.1 401
Unauthorized" and a header like "WWW-Authenticate: Basic realm="jaguar".
The client will repeat the request, but this time the necessary credentials
will be passed, e.g. "Authorization: Basic ABCDEFG"

If I use a Java client (generated with WSDL2Java), this challenge-response
does not take place, because the client immediately sends the credentials.
The server can process the request immediately.

With .NET as client, this is a different story. .NET does not send the
credentials immediately. It only sends the credentials if a 401 error was
received. But this is never happening, because Axis sends a 500 error.
Therefore, the simple authentication handler does not work with .NET.

Possible workaround: Write your own authentication handler that is conform
with RFC 2617.

Peter

PS: I would consider this as a bug report, but I don't know if this is a
known problem and how to track it...

[PATCH] On AxisServlet - Solves Bug ID 11763 ( Authentication issue with .NET clients)

Posted by Giorgio Maone <g....@informaction.com>.

I believe this issue should be solved on the transport (HTTP) layer, so I
dare to propose this small patch to AxisServlet.
If SC_UNATHORIZED is going to be sent, we also send the basic authentication
challenge (RFC2617).
Notice also that SimpleAuthenticationHandler raises an AxisFault with
message "Server.Unathenticated" rather than "Server.Unathorized", so the 401
code was not sent if no credentials were given (this happens in .NET first
request)...
Hope it helps.

--Giorgio Maone

Index: AxisServlet.java
===================================================================
RCS file:
/home/cvspublic/xml-axis/java/src/org/apache/axis/transport/http/AxisServlet
.java,v
retrieving revision 1.136
diff -u -r1.136 AxisServlet.java
--- AxisServlet.java    16 Aug 2002 19:28:02 -0000      1.136
+++ AxisServlet.java    17 Aug 2002 11:21:52 -0000
@@ -573,7 +573,16 @@
                 log.error(JavaUtils.getMessage("exception00"), e);
                 // It's been suggested that a lack of SOAPAction
                 // should produce some other error code (in the 400s)...
-                res.setStatus(getHttpServletResponseStatus(e));
+                int status=getHttpServletResponseStatus(e);
+               // The following solves .NET client authorization issue.
+               // Should we perhaps do it in a new method called
+               // writeHttpServletResponseHeaders(AxisFault f)
+               // ? --Giorgio Maone
+               if(status==HttpServletResponse.SC_UNAUTHORIZED)
+                    res.setHeader("WWW-Authenticate",
+                     "Basic realm=\"AXIS\"");
+               // TODO: less generic realm choice? --GM
+               res.setStatus(status);
                 responseMsg = new Message(e);
             } catch (Exception e) {
                 log.error(JavaUtils.getMessage("exception00"), e);
@@ -620,9 +629,12 @@
     protected int getHttpServletResponseStatus(AxisFault af) {
         // TODO: Should really be doing this with explicit AxisFault
         // subclasses... --Glen
-        return
af.getFaultCode().getLocalPart().equals("Server.Unauthorized")
+        return af.getFaultCode().getLocalPart().startsWith("Server.Unauth")
                 ? HttpServletResponse.SC_UNAUTHORIZED
                 : HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+       // This will raise a 401 for both
+       // "Unauthenticated" & "Unauthorized"...
+       // ...and of course I fully agree with Glen --Giorgio Maone
     }

     /**





----- Original Message -----
From: <bu...@apache.org>
To: <ax...@xml.apache.org>
Sent: Friday, August 16, 2002 12:06 PM
Subject: DO NOT REPLY [Bug 11763] New: - HTTP Authentication not correctly
handled


> DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
> RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
> <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11763>.
> ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
> INSERTED IN THE BUG DATABASE.
>
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11763
>
> HTTP Authentication not correctly handled
>
>            Summary: HTTP Authentication not correctly handled
>            Product: Axis
>            Version: beta-3
>           Platform: PC
>         OS/Version: Windows NT/2K
>             Status: NEW
>           Severity: Normal
>           Priority: Other
>          Component: Basic Architecture
>         AssignedTo: axis-dev@xml.apache.org
>         ReportedBy: p.haensgen@intershop.de
>
>
> After playing and debugging with the simple authentication handler
> (org.apache.axis.handlers.SimpleAuthenticationHandler) I found out that:
> - authentication only works if the client is a Java client, generated with
> WSDL2Java
> - authentication does NOT work if the client is a .NET client.
>
> The reason is, in short, that Axis returns a "HTTP/1.1 500 Internal Server
> Error" where it should return a "401 Unauthorized".
>
> If authentication is required and the credentials are not part of the
> request or wrong, a server normally responds with "HTTP/1.1 401
> Unauthorized" and a header like "WWW-Authenticate: Basic realm="jaguar".
> The client will repeat the request, but this time the necessary
credentials
> will be passed, e.g. "Authorization: Basic ABCDEFG"
>
> If I use a Java client (generated with WSDL2Java), this challenge-response
> does not take place, because the client immediately sends the credentials.
> The server can process the request immediately.
>
> With .NET as client, this is a different story. .NET does not send the
> credentials immediately. It only sends the credentials if a 401 error was
> received. But this is never happening, because Axis sends a 500 error.
> Therefore, the simple authentication handler does not work with .NET.
>
> Possible solution: The necessary code basically looks like this:
>
> HttpServletResponse response = (HttpServletResponse)
msgContext.getProperty(
>     HTTPConstants.MC_HTTP_SERVLETRESPONSE);
>
> // not authorized, so request basic authentication
> response.addHeader("WWW-Authenticate", "Basic realm=\"" + ... (some code
for
> the local realm, e.g. the machine name)... + '\"');
>
> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
>
>
> Possible workaround: Write your own authentication handler that is conform
> with RFC 2617.