Forum Stats

  • 3,853,732 Users
  • 2,264,259 Discussions
  • 7,905,436 Comments

Discussions

How is our users provided in the basic auth token passed from postman/soapui/anyclient authenticated

Hello

I am trying to introduce a basic auth over ssl policy for my customer. As a simple test, I have a helloworld service defined on a Restful Webservice. I have the web.xml file.

@Path("samplewebxml")

public class GenericResource {

    public GenericResource() {

    }

    @GET

@Produces("text/plain")

@Path("hello")

    public String sayHello() {

        return ("Hello from WebXML!");

    }

}

I have defined a constraint on @GET method sayHello(). I want to restrict users on 2 groups defined on the weblogic default security realm. The users are defined and assigned to the roles in weblogic DefaultDomain and I can see them on security realm.

My web.xml file looks like this :

<servlet>

<servlet-name>RestServlet</servlet-name>

<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>

</servlet>

<security-constraint>

<web-resource-collection>

<web-resource-name>resources</web-resource-name>

<url-pattern>/*</url-pattern>

<http-method>GET</http-method>

</web-resource-collection>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>default</realm-name>

</login-config>

<security-role>

<role-name>Admin</role-name>

</security-role>

</web-app>

However when accessing the URL this security constraint is not being enforced and I can still see the response when I type the URL on the browser.

My second isssue is. If the security constraint is enforced, then I expect a standard pop up on my browser which asks for user id and password...Once I enter the userid and password on that form, how does it pass the user id and password the servelet.

My other experience is that even after putting in the weblogic user id (which is part of the Administrators group and with Admin role) it does not allow access to servelets when it should have.

Can anyone explain what I am missing here?.. .. .. do I need to make any entries on the weblogic.xml or config.xml files and how does JEE container authenticate against the weblogic default credential store.

Under security realms, 1. Under Credential mapping - Security Credential Mapping is not defined. 2. Under Providers tab -The order of authenticators are DefaultAuthenticators,Default Identity Asserters and then Trust Service Identity Asserter.

Any help on this will be very much appreciated.

Thanks

Tagged: