| Author |
Message
|
| IIBDev |
 Posted: Tue Nov 26, 2013 10:28 am Post subject: REST Digest Authentication- IIB |
 |
|
Newbie
Joined: 26 Nov 2013
Posts: 5
|
Hi,
I need to implement Digest authentication against REST web service on SSL. I am able to communicate with the WS on SSL but unable to authenticate.
As per my knowledge with Digest authentication, when the server it hit first time it send back nonce and opaque and then the token is generated on client and then send to server again.
How to achieve this? do i need to parse the server response and then manually generate the token and again hit the server or there is some other way.
Also how to generate the token from user, password and other details as I can not find com.ibm.broker.javacompute.Base64.encode class in IIB.
Sample header from Mozilla:
when request is made first time:
Host: staging
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
If-None-Match: "29bda9f07de0a2daea2446d9b7295116"
HTTP/1.1 401 Authorization Required
Date: Tue, 26 Nov 2013 16:02:45 GMT
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.17
Cache-Control: no-cache
WWW-Authenticate: Digest realm="realm", qop="auth", algorithm=MD5, nonce="MTM4NTQ4MTc2NTpmM2E5NTU5YzM3YTJlYTJiYTQzNTY2NDA4ZWQ1NWZmYw==", opaque="9916a3538ee3987258692e1e4a038912"
X-Runtime: 0.006420
X-Rack-Cache: miss
X-UA-Compatible: IE=Edge,chrome=1
X-Request-ID: 48c742eea8fa5d5be511ea0ff19565e8
status: 401
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 48
Content-Type: text/html; charset=utf-8
after Entering username and pwd
Host: staging
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
If-None-Match: "29bda9f07de0a2daea2446d9b7295116"
Authorization: Digest username="username", realm="realm", nonce="MTM4NTQ4MTc2NTpmM2E5NTU5YzM3YTJlYTJiYTQzNTY2NDA4ZWQ1NWZmYw==", uri="/api/titles/256516.xml", algorithm=MD5, response="9d39c67e89e99141adfab52449259009", opaque="9916a3538ee3987258692e1e4a038912", qop=auth, nc=00000001, cnonce="082c875dcb2ca740"
HTTP/1.1 200 OK
Content-Type: application/xml
X-Content-Type-Options: nosniff
Date: Tue, 26 Nov 2013 16:25:18 GMT
Server: HTTP server (unknown)
Content-Length: 3487
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public,max-age=172800
Age: 537
Alternate-Protocol: 80:quic
First request is the same which i get i IIB. I am using Http Request Node in flow |
|
| Back to top |
|
 |
| Esa |
| Posted: Tue Nov 26, 2013 11:50 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
Have you checked policy sets and policy set bindings in the InfoCenter? Policy sets address exactly the kind of problems you describe.
The usage of policy sets and bingings is quite well hidden. You cannot configure them in the flow editor, but in the bar file.
Please let us know if this helped you. |
|
| Back to top |
|
|
| IIBDev |
| Posted: Tue Nov 26, 2013 10:37 pm Post subject: |
|
|
Newbie
Joined: 26 Nov 2013
Posts: 5
|
Thanks Esa,
I havent tried with Policies set, will try with that. but as per my understanding policies set can be applied to the Soap nodes however i am using an http node here.
Appreciate if you can point me to any link/ref where i can have some understanding about the Digest authentication through Message Broker or IIB
Thanks |
|
| Back to top |
|
|
| Esa |
| Posted: Tue Nov 26, 2013 10:52 pm Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
I'm afraid that is the case, policy sets apply to SOAP only.
Check security profiles. You can assign a security profile to an HttpRequest node. This, too, can be done in the bar file editor only, not in the message flow editor. |
|
| Back to top |
|
|
| Esa |
| Posted: Tue Nov 26, 2013 11:58 pm Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
Hi IIBDev,
I seem to have been misleading you. I'm sorry.
I read your post more carefully. The problem is that HttpRequest node doesn't seem to support this kind of authentication mechanism out of the box, so you must implement it yourself.
You may already have constructed a test flow that has two HttpRequest nodes. The first one will fail to authenticate and then propagate the http response with the nonce and other server-generated stuff to error terminal (or was it failure?) from where you can capture it and use it for generating the Authentication header for the second HttpRequest.
Remains the problem of generating an MD5 hash. There is an example of that in wikipedia
Once you get the two-node test working you can proceed with caching the authentication stuff and -- if you happen to be a perfectionist, too -- figuring out how to implement this with one single HttpRequest node. |
|
| Back to top |
|
|
| IIBDev |
| Posted: Wed Nov 27, 2013 2:50 am Post subject: |
|
|
Newbie
Joined: 26 Nov 2013
Posts: 5
|
Hi Esa,
I am fine with misleading.. some time it has scope for learning 
Yes, I am planing to add 2 http nodes and then using java compute node make the token then pass it to the client WS.
I have also raised PMR for that, lets see what response i get.
Also is it possible to use SOAP node for REST WS call and then use the profile settings to make it working Or may be use a gateway WS to interact with Client WS. I am in beginning of the project so can make the changes.
I m definitely not a perfectionist.. infact I m a beginner.
Last edited by IIBDev on Wed Nov 27, 2013 2:59 am; edited 1 time in total |
|
| Back to top |
|
|
| Esa |
| Posted: Wed Nov 27, 2013 2:59 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
| IIBDev wrote: |
I have also raised PMR for that, lets see what response i get.
|
Please keep us informed.
I think HttpRequest node should support this kind of two-step authentication methods. This is worth a Request for Enhancement, too. |
|
| Back to top |
|
|
| IIBDev |
| Posted: Sat Dec 07, 2013 12:19 am Post subject: |
|
|
Newbie
Joined: 26 Nov 2013
Posts: 5
|
| Got Response for the PMR. Digest Authentication is not supported internally with the HttpRequest Nodes. |
|
| Back to top |
|
|
| Simbu |
| Posted: Sun Dec 08, 2013 8:42 pm Post subject: |
|
|
Master
Joined: 17 Jun 2011
Posts: 289
Location: Tamil Nadu, India
|
|
| Back to top |
|
|
| Esa |
| Posted: Sun Dec 08, 2013 10:34 pm Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
|
| Back to top |
|
|
| IIBDev |
| Posted: Tue Dec 10, 2013 10:28 am Post subject: |
|
|
Newbie
Joined: 26 Nov 2013
Posts: 5
|
| Yes, This RFE is raised by us. |
|
| Back to top |
|
|
|
|
