StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POBasic authentication in REST-application
text
Body
copied!<h3>Environment:</h3> <ul> <li>JAVA</li> <li>Glassfish</li> <li>REST-services in different machine</li> <li>HTML5-client with AJAX and JQuery</li> <li>Jersey</li> </ul> <p>This is what I have implemented so far:</p> <h3>HTML5-client ###</h3> <pre><code>$('#btnSignIn').click(function () { var username = $("#username").val(); var password = $("#password").val(); function make_base_auth(user, password) { var tok = user + ':' + password; var final = "Basic " + $.base64.encode(tok); console.log("FINAL---->" + final); alert("FINAL---->" + final); return final; } $.ajax({ type: "GET", contentType: "application/json", url: "http://localhost:8080/SesameService/webresources/users/secured/login", crossDomain: true, dataType: "text", async: false, data: {}, beforeSend: function (xhr) { xhr.setRequestHeader('authorization', make_base_auth(username, password)); }, success: function () { alert('Thanks for your signin in! '); }, error: function (jqXHR, textStatus, errorThrown) { console.log(textStatus, errorThrown); alert(' Error in signIn-process!! ' + textStatus); } }); }); </code></pre> <h3>SERVER</h3> <p>In Security, I haven't got Security Manager enabled, it is disabled!</p> <p>I have configured BASIC-authentication to Glassfish and my web.xml looks like that: </p> <pre class="lang-xml prettyprint-override"><code><servlet-mapping> <servlet-name>ServletAdaptor</servlet-name> <url-pattern>/webresources/*</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>REST Protected resources</web-resource-name> <description/> <url-pattern>/users/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> <role-name>customer</role-name> <role-name>user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>jdbcRealm</realm-name> </login-config> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role> <security-role> <description/> <role-name>customer</role-name> </security-role> </code></pre> <h3>GLASSFISH</h3> <p><img src="https://i.stack.imgur.com/fmaLi.png" alt="enter image description here"></p> <h3>LOG</h3> <pre><code>FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = SesameService/SesameService FINE: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/webresources/users/secured/login" "GET") FINE: [Web-Security] hasUserDataPermission isGranted: true FINE: [Web-Security] Policy Context ID was: SesameService/SesameService FINE: [Web-Security] hasResource isGranted: true FINE: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/webresources/users/secured/login" "GET") </code></pre> <h3>QUESTION:</h3> <ol> <li><p>If I encrypt (NOT encode) password in client when user is signing up and transfer it under the SSL/HTTPS, is this secure and good way to implement this?</p></li> <li><p>If I use REST-service without client, it is always open, WHY? No BASIC-authentication? Have I understood something wrong with those url-patterns?</p> <pre><code>http://localhost:8080/SesameService/webresources/users/secured/login </code></pre></li> <li><p>IF I get this working how to test that, because now if I authenticate once, I am authorised always? Is it possible to "log out" programatically inside the REST-service or in generally how to implement Log out? </p></li> <li><p>When using Authorization in header with mandatory base64-encoded username:password do I have to encode my username and password to DB as well? I tried that and added Encoding (allowed values are Hex and Base64) to jdbcRealm to Glassfish and it seems that password is enough, but what happens when both are encoded in client?</p></li> </ol> <p><strong>UPDATE:</strong> I changed web.xml and now BASIC-authentication is working when calling REST-service straight in browser :<code>http://localhost:8080/SesameService/users/secured/login</code></p> <p>Changes: </p> <ul> <li>I enabled security manager in Glassfish</li> <li><p>I changed url-pattern</p> <p> ServletAdaptor /*----> I took webresources off. It was generated by Netbeans </p></li> <li><p>I changed the url to service to this: <code>http://localhost:8080/SesameService/users/secured/login</code></p></li> </ul> <p>Now I get a HTTP/1.1 401 Unauthorized when trying to authenticate from HTML5-client.</p> <p><strong>Request headers:</strong> `</p> <pre><code>Origin: http://localhost:8383 Host:`localhost:8080` Connection:keep-alive Access-Control-Request-Method:GET Access-Control-Request-Headers:authorization,content-type` </code></pre> <p><strong>Response:</strong> </p> <pre><code>x-powered-by:Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Oracle Corporation/1.7) WWW-Authenticate:Basic realm="jdbcRealm" Server:GlassFish Server Open Source Edition 3.1.2.2 Pragma:No-cache Expires:Thu, 01 Jan 1970 02:00:00 EET Date:Sat, 13 Apr 2013 15:25:06 GMT Content-Type:text/html Content-Length:1073 Cache-Control:no-cache </code></pre> <p><strong>UPDATE 2</strong></p> <p>When I try to authenticate with JavaScript + Authorization-header I got 401 error and that in the log:</p> <pre><code>FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = SesameService/SesameService FINE: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/users/secured/login" "OPTIONS") FINE: [Web-Security] hasUserDataPermission isGranted: true---->!!!!!!!!!!!!! FINE: [Web-Security] Policy Context ID was: SesameService/SesameService FINE: [Web-Security] Codesource with Web URL: file:/SesameService/SesameService FINE: [Web-Security] Checking Web Permission with Principals : null------->!!!!!!! FINE: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/users/secured/login" "OPTIONS") FINEST: JACC Policy Provider: PolicyWrapper.implies, context (SesameService/SesameService)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/users/secured/login" "OPTIONS")) FINE: [Web-Security] hasResource isGranted: false------->!!!!!!!!! FINE: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/users/secured/login" "OPTIONS") FINEST: JACC Policy Provider: PolicyWrapper.getPermissions(cs), context (null) codesource ((null <no signer certificates>)) permissions: java.security.Permissions@5d4de3b0 ( </code></pre> <p>****UPDATE 3**** I can't be the first and only person who is trying to authenticate using BASIC in cross domain case. I changed my cross origin filters like that: response.getHttpHeaders().putSingle("Access-Control-Allow-Headers", "Authorization");</p> <p>NO 401 error anymore but still error in JavaScript. IN Glassfish log:</p> <pre><code>FINEST: JACC Policy Provider: getPolicy (SesameService/SesameService) is NOT in service----->!!!!!!!! FINE: JACC Policy Provider: file arrival check type: granted arrived: false exists: false lastModified: 0 storedTime: 1365968416000 state: deleted SesameService/SesameService FINE: JACC Policy Provider: file arrival check type: excluded arrived: false exists: false lastModified: 0 storedTime: 0 state: deleted SesameService/SesameService FINE: TM: getTransaction: tx=null, tm=null FINE: TM: componentDestroyedorg.apache.catalina.servlets.DefaultServlet@227fe9a8 FINE: TM: resourceTable before: 0 FINE: TM: resourceTable after: 0 </code></pre> <p>BTW, because I have never get this work, does this work same way than calling the REST-service direct in its own domain. So, First client requests, server requests and username-password window opens, then client request and server authenticate and response the page? I am trying to get it: Request with Authorization header in it, response from server with result from the rest service and that's it. Any idea how to secure REST-services? Easier than that? This is impossible.</p> <p><strong>UPDATE 4</strong></p> <p>I just tried to move my HTML5-client to under java web-project, just pure html-pages and under same domain and BASIC-authentication is working 100 %. So the reason is because of cross-domain environment. </p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload