| Author |
Message
|
| BrianR |
 Posted: Tue Sep 09, 2008 12:08 am Post subject: Policy set to enforce username and password |
 |
|
Novice
Joined: 04 Nov 2005
Posts: 12
Location: London
|
Can anyone tell me how to configure a policy set to enforce the presence of both a username and password token?
I have tried using the WSS10Default which does enforce the presence of a username token but when no password is present the webservice runs. When a password is present then the security manager is called.
I am using broker 6.1 fixpack 2 |
|
| Back to top |
|
 |
| sridhsri |
| Posted: Tue Sep 09, 2008 6:05 pm Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
| What are you using for authentication ? I remember when I used a LDAP a blank password still gave me exceptions. |
|
| Back to top |
|
|
| BrianR |
| Posted: Tue Sep 09, 2008 10:28 pm Post subject: |
|
|
Novice
Joined: 04 Nov 2005
Posts: 12
Location: London
|
We are using OID (Oracle Internet Directory) which claims to be LDAP 3 compliant.
Also, if you enter a non-existent user and no password the web service executes which does imply that either:-
- The authorisation service is not being called when no password is present
or
- The authorisation service ignores the userid UNLESS a password is also present |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Sep 10, 2008 1:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| You need to always create your own profile. The default should not be used. |
|
| Back to top |
|
|
| BrianR |
| Posted: Wed Sep 10, 2008 2:32 am Post subject: |
|
|
Novice
Joined: 04 Nov 2005
Posts: 12
Location: London
|
mqjeff
I have created security profile which points at the OID LDAP server, this part is working fine as long as the message includes both a userid and password, if the password is correct the service runs, if the password is wrong an error is returned.
My question was to do the the presence/absence of the password in the input message, for SOAP nodes if the password tag is not present OR the password tag is present but empty the the service runs (even if the userid does not exist). For HTTPInput node, if the password tag is missing then an error is reported, if the password tag is present but empty then the service runs.
It would appear that the bind to the LDAP server is being done as anonymous unless both the userid and password tags are present AND contain a value |
|
| Back to top |
|
|
|
|
