You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Ansgar Berhorn <a....@topdesk.com> on 2010/03/02 09:16:16 UTC
How to get proper http-code on failed authentication?
Hello mailing list,
I have a web service using Axis2 (tested both in 1.4.1 and 1.5.1) with
Rampart for the security.
When authentication fails, Axis2 will throw an exception internally and
respond with http status 200.
Is there a way to configure Axis2 or Rampart to responds properly with a
401 (Unauthorized)? Maybe somebody can give a hint what/where to look
for? I looked through all the Axis2 examples did not find any hint.
> |<parameter name="InflowSecurity">
> <action>
> <items>UsernameToken</items>
> <passwordCallbackClass>
> com.some.organisation.PasswordHandler
> </passwordCallbackClass>
> </action>
> </parameter>|
The PasswordHandler throws a
> |WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION)|
What is the way to make my service respond with a 401 instead of a 200?
Thanks for any hints in advance!
Regards,
Ansgar Berhorn
Re: How to get proper http-code on failed authentication?
Posted by Ruchith Fernando <ru...@gmail.com>.
What we should be sending is "wsse:FailedAuthentication" as the error
code of a SOAP fault [1].
And IIRC the SOAP fault is sent with the http error code 500 (Please
correct me if I'm wrong). I'm not sure why it is sending a HTTP 200
right now.
Therefore if you want any other behavior you need to write a custom
handler for that.
Thanks,
Ruchith
1. http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
On Sun, Mar 7, 2010 at 3:32 AM, Amila Suriarachchi
<am...@gmail.com> wrote:
>
>
> On Tue, Mar 2, 2010 at 4:35 PM, Ruchith Fernando
> <ru...@gmail.com> wrote:
>>
>> Hi,
>>
>> I think you will have to add a handler to detect a failure in
>> authentication and then send the error code, if you need it to be
>
> if the username token fails, why rampart can not set the http code as 401?
>
> thanks,
> Amila.
>>
>> something other than the default.
>>
>> Thanks,
>> Ruchith
>>
>> On Tue, Mar 2, 2010 at 3:16 AM, Ansgar Berhorn <a....@topdesk.com>
>> wrote:
>> > Hello mailing list,
>> >
>> > I have a web service using Axis2 (tested both in 1.4.1 and 1.5.1) with
>> > Rampart for the security.
>> >
>> > When authentication fails, Axis2 will throw an exception internally and
>> > respond with http status 200.
>> >
>> > Is there a way to configure Axis2 or Rampart to responds properly with a
>> > 401
>> > (Unauthorized)? Maybe somebody can give a hint what/where to look for? I
>> > looked through all the Axis2 examples did not find any hint.
>> >
>> > <parameter name="InflowSecurity">
>> > <action>
>> > <items>UsernameToken</items>
>> > <passwordCallbackClass>
>> > com.some.organisation.PasswordHandler
>> > </passwordCallbackClass>
>> > </action>
>> > </parameter>
>> >
>> > The PasswordHandler throws a
>> >
>> > WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION)
>> >
>> > What is the way to make my service respond with a 401 instead of a 200?
>> >
>> > Thanks for any hints in advance!
>> >
>> > Regards,
>> > Ansgar Berhorn
>> >
>>
>>
>>
>> --
>> http://ruchith.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
>> For additional commands, e-mail: java-user-help@axis.apache.org
>>
>
>
>
> --
> Amila Suriarachchi
> WSO2 Inc.
> blog: http://amilachinthaka.blogspot.com/
>
--
http://ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: How to get proper http-code on failed authentication?
Posted by Ansgar Berhorn <a....@topdesk.com>.
Seeing this and the other replies from the thread I learn that my
question was asking for a to detailed aspect in the first place.
Basically I "just" want a smooth handling of failed authentication
between my Axis2/Rampart/Java-Server app and my Axis2c/Rampartc client app.
Between the flood of documentation about all the esoteric WS-Security
features it is sometimes hard to find substantial information/guidance
about the "core" things.
Thanks for this clarification. I will have a closer how to handle it via
the SOAP layer.
Ansgar
On 07.03.2010 22:14, Andreas Veithen wrote:
> Returning 401 here would be in violation of the HTTP protocol because
> RFC 2616 requires the server to also return a WWW-Authenticate header
> (see section 10.4.2) and thereby request the client to use HTTP
> authentication instead of WS-Security.
>
> Andreas
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: How to get proper http-code on failed authentication?
Posted by Andreas Veithen <an...@gmail.com>.
Returning 401 here would be in violation of the HTTP protocol because
RFC 2616 requires the server to also return a WWW-Authenticate header
(see section 10.4.2) and thereby request the client to use HTTP
authentication instead of WS-Security.
Andreas
On Sun, Mar 7, 2010 at 09:32, Amila Suriarachchi
<am...@gmail.com> wrote:
>
>
> On Tue, Mar 2, 2010 at 4:35 PM, Ruchith Fernando
> <ru...@gmail.com> wrote:
>>
>> Hi,
>>
>> I think you will have to add a handler to detect a failure in
>> authentication and then send the error code, if you need it to be
>
> if the username token fails, why rampart can not set the http code as 401?
>
> thanks,
> Amila.
>>
>> something other than the default.
>>
>> Thanks,
>> Ruchith
>>
>> On Tue, Mar 2, 2010 at 3:16 AM, Ansgar Berhorn <a....@topdesk.com>
>> wrote:
>> > Hello mailing list,
>> >
>> > I have a web service using Axis2 (tested both in 1.4.1 and 1.5.1) with
>> > Rampart for the security.
>> >
>> > When authentication fails, Axis2 will throw an exception internally and
>> > respond with http status 200.
>> >
>> > Is there a way to configure Axis2 or Rampart to responds properly with a
>> > 401
>> > (Unauthorized)? Maybe somebody can give a hint what/where to look for? I
>> > looked through all the Axis2 examples did not find any hint.
>> >
>> > <parameter name="InflowSecurity">
>> > <action>
>> > <items>UsernameToken</items>
>> > <passwordCallbackClass>
>> > com.some.organisation.PasswordHandler
>> > </passwordCallbackClass>
>> > </action>
>> > </parameter>
>> >
>> > The PasswordHandler throws a
>> >
>> > WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION)
>> >
>> > What is the way to make my service respond with a 401 instead of a 200?
>> >
>> > Thanks for any hints in advance!
>> >
>> > Regards,
>> > Ansgar Berhorn
>> >
>>
>>
>>
>> --
>> http://ruchith.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
>> For additional commands, e-mail: java-user-help@axis.apache.org
>>
>
>
>
> --
> Amila Suriarachchi
> WSO2 Inc.
> blog: http://amilachinthaka.blogspot.com/
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: How to get proper http-code on failed authentication?
Posted by Amila Suriarachchi <am...@gmail.com>.
On Tue, Mar 2, 2010 at 4:35 PM, Ruchith Fernando <ruchith.fernando@gmail.com
> wrote:
> Hi,
>
> I think you will have to add a handler to detect a failure in
> authentication and then send the error code, if you need it to be
>
if the username token fails, why rampart can not set the http code as 401?
thanks,
Amila.
> something other than the default.
>
> Thanks,
> Ruchith
>
> On Tue, Mar 2, 2010 at 3:16 AM, Ansgar Berhorn <a....@topdesk.com>
> wrote:
> > Hello mailing list,
> >
> > I have a web service using Axis2 (tested both in 1.4.1 and 1.5.1) with
> > Rampart for the security.
> >
> > When authentication fails, Axis2 will throw an exception internally and
> > respond with http status 200.
> >
> > Is there a way to configure Axis2 or Rampart to responds properly with a
> 401
> > (Unauthorized)? Maybe somebody can give a hint what/where to look for? I
> > looked through all the Axis2 examples did not find any hint.
> >
> > <parameter name="InflowSecurity">
> > <action>
> > <items>UsernameToken</items>
> > <passwordCallbackClass>
> > com.some.organisation.PasswordHandler
> > </passwordCallbackClass>
> > </action>
> > </parameter>
> >
> > The PasswordHandler throws a
> >
> > WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION)
> >
> > What is the way to make my service respond with a 401 instead of a 200?
> >
> > Thanks for any hints in advance!
> >
> > Regards,
> > Ansgar Berhorn
> >
>
>
>
> --
> http://ruchith.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-user-help@axis.apache.org
>
>
--
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/
Re: How to get proper http-code on failed authentication?
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
I think you will have to add a handler to detect a failure in
authentication and then send the error code, if you need it to be
something other than the default.
Thanks,
Ruchith
On Tue, Mar 2, 2010 at 3:16 AM, Ansgar Berhorn <a....@topdesk.com> wrote:
> Hello mailing list,
>
> I have a web service using Axis2 (tested both in 1.4.1 and 1.5.1) with
> Rampart for the security.
>
> When authentication fails, Axis2 will throw an exception internally and
> respond with http status 200.
>
> Is there a way to configure Axis2 or Rampart to responds properly with a 401
> (Unauthorized)? Maybe somebody can give a hint what/where to look for? I
> looked through all the Axis2 examples did not find any hint.
>
> <parameter name="InflowSecurity">
> <action>
> <items>UsernameToken</items>
> <passwordCallbackClass>
> com.some.organisation.PasswordHandler
> </passwordCallbackClass>
> </action>
> </parameter>
>
> The PasswordHandler throws a
>
> WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION)
>
> What is the way to make my service respond with a 401 instead of a 200?
>
> Thanks for any hints in advance!
>
> Regards,
> Ansgar Berhorn
>
--
http://ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org