| Author |
Message
|
| meaton78 |
 Posted: Mon Apr 30, 2012 9:52 am Post subject: Calling a url with embedded username and password |
 |
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
Let me get this out of the way first. We are on AIX running Message Broker 6.0 on extended support. Upgrade to 8.0 in in progress, but it is what it is right now. With that said, here's my question:
We are looking to call a web service that has the username and password in the URL, something like this: https://user:password@myWebService.com.
Message broker does not like that format, and an IBM PMR resulted in them saying that's not a valid URL. I can't imaging that we are the only ones in the world that have a need to do this. Has anyone ever run across it before and got a working example?
As I said earlier, we know we are on old software and are upgrading it. Also, nothing can be done about the URL format. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Mon Apr 30, 2012 9:55 am Post subject: Re: Calling a url with embedded username and password |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| meaton78 wrote: |
| I can't imaging that we are the only ones in the world that have a need to do this. |
Everyone else in the world uses standard credentialing. Either Basic Auth or SOAP.Header.UserToken.
Putting the password in the URL defeats the purpose of security. Everyone and his brother can see it as it passes across the network.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| meaton78 |
| Posted: Mon Apr 30, 2012 10:01 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
First off, I mentioned that there is nothing we can do about the URL.
Second, as it is going across SSL, the URL is encrypted, so from what I understand, no one's brother will be able to see the password. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Apr 30, 2012 10:03 am Post subject: Re: Calling a url with embedded username and password |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| meaton78 wrote: |
| an IBM PMR resulted in them saying that's not a valid URL. |
I don't believe that's strictly true. I believe it's a valid URL, it may not be a valid HTTPS URL, however.
| meaton78 wrote: |
| nothing can be done about the URL format. |
If you can't convince the Broker development team to accept a defect here, then you need to use something other than basic Broker tooling to access the web service. I.e. a JavaCompute node. If you weren't on AIX I would have also mentioned a .NET compute node, since I expect that .NET has a lot more support for such pathological notions, that being the norm when one is dealing with windows based services anyway (pathological notions, that is).
But you need to raise a huge warning flag to everyone involved in this project and the service you're calling that it's really really an insecure process in the first place, and it needs more money thrown at it. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Apr 30, 2012 10:07 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| meaton78 wrote: |
First off, I mentioned that there is nothing we can do about the URL.
Second, as it is going across SSL, the URL is encrypted, so from what I understand, no one's brother will be able to see the password. |
URLs are stored in logs. Some people who read logs have brothers. I'll concede that not EVERYONEs brother can read.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| meaton78 |
| Posted: Mon Apr 30, 2012 10:19 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
| lancelotlinc wrote: |
| URLs are stored in logs. Some people who read logs have brothers. I'll concede that not EVERYONEs brother can read. |
Point taken
Last edited by meaton78 on Mon Apr 30, 2012 10:25 am; edited 1 time in total |
|
| Back to top |
|
|
| meaton78 |
| Posted: Mon Apr 30, 2012 10:21 am Post subject: Re: Calling a url with embedded username and password |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 100
|
| mqjeff wrote: |
| I don't believe that's strictly true. I believe it's a valid URL, it may not be a valid HTTPS URL, however. |
We tried, and at first they said they would create an APAR, but then retracted.
| mqjeff wrote: |
| But you need to raise a huge warning flag to everyone involved in this project and the service you're calling that it's really really an insecure process in the first place, and it needs more money thrown at it. |
Understood. Thanks for the helpful reply. |
|
| Back to top |
|
|
| joebuckeye |
| Posted: Mon Apr 30, 2012 10:34 am Post subject: Re: Calling a url with embedded username and password |
|
|
Partisan
Joined: 24 Aug 2007
Posts: 365
Location: Columbus, OH
|
| meaton78 wrote: |
We are looking to call a web service that has the username and password in the URL, something like this: https://user:password@myWebService.com.
Message broker does not like that format, and an IBM PMR resulted in them saying that's not a valid URL. |
I know you say that nothing can be done about the URL but in looking at the W3C spec on URL's it appears that the one you gave is not valid.
From a quick look over the spec it appears that the 'username:password@' portion of URL may only be valid for FTP requests (not HTTP).
This may be why IBM responded the way they did. |
|
| Back to top |
|
|
|
|
