HTTP Basic and Digest Authentication

Sample Number

103

Level

Intermediary

Description

This sample demonstrates the usage of UltraESB to secure services with HTTP Basic and Digest authentication

Use Case

I have a proxy service developed with the UltraESB and now I want to enforce Transport Level Security (TLS) to this service which is exposed over HTTP. Using HTTP Basic or Digest authentication the service needs to be password protected. Also the use information needs to be extracted in the service for processing in the mediation logic.

The transport will provide the security for the proxy service, and the service can be implemented orthogonally. However it could also retrieve the user information in the authenticated request in the mediation layer, which is what we demonstrate in this case.

Sample Configuration

The TLS configuration is purely done on the transport layer, and the mediation API gives access to the request authentication information in the mediation layer. The HTTP transport configuration for the TLS configuration is as follows;

HTTP transport configuration for TLS

 1<bean id="http-8280" class="org.adroitlogic.ultraesb.transport.http.HttpNIOListener">
 2  <constructor-arg ref="fileCache"/>
 3  <property name="port" value="8280"/>
 4  <property name="requestFilters">
 5    <list>
 6      <!--<bean class="org.adroitlogic.ultraesb.transport.http.auth.BasicAuthenticationFilter">
 7        <property name="realmName" value="adroitlogic"/>
 8      </bean>-->
 9      <bean class="org.adroitlogic.ultraesb.transport.http.auth.DigestProcessingFilter">
10        <property name="realmName" value="adroitlogic"/>
11          <property name="userDetailsService" ref="plain-user-service"/>
12        </bean>
13      </list>
14    </property>
15</bean>

The Basic or Digest authentication is enforced as a request filter to the transport listener. Note that this configuration uses the Digest authentication while the Basic authentication is commented out. The credentials for authentication is picked up via the standard Spring security configuration fragment shown below;

Spring authentication manager configuration for the TLS

 1<s:authentication-manager alias="authenticationManager">
 2  <s:authentication-provider>
 3    <!--<s:password-encoder hash="md5"/>
 4    <s:user-service>
 5      <s:user name="asankha" password="abac6d7582d9ab52c629f7490fd3eb2f" authorities="ROLE_ADMIN, ROLE_USER"/>
 6    </s:user-service>-->
 7    <s:user-service id="plain-user-service">
 8      <s:user name="asankha" password="adroitlogic" authorities="ROLE_USER, ROLE_MANAGER"/>
 9    </s:user-service>
10  </s:authentication-provider>
11</s:authentication-manager>

Note that if using Digest authentication, the authentication provider must store the password for the user, whereas for Basic authentication, just the hash could be stored.

Note
Any passwords that must be stored in the UltraESB configuration file could separately be encrypted using Jasypt. See Securing Configurations for more information on using Jasypt to encrypt UltraESB configuration fragments.

The proxy service used in the example is a simple mock service that echoes the requesting users name and roles - on successful authentication, among other information.

Proxy service configuration to extarct the user credentials in the mediation

 1<u:proxy id="rest-mock">
 2  <u:transport id="http-8280"/>
 3  <u:target>
 4    <u:inSequence>
 5      <u:java import="org.adroitlogic.ultraesb.api.transport.http.HttpConstants;"><![CDATA[
 6          System.out.println("User is : " + msg.getMessageProperty(HttpConstants.USERNAME));
 7          System.out.println("Roles are : " + msg.getMessageProperty(HttpConstants.USERROLES));
 8          Message res = msg.createDefaultResponseMessage();
 9          mediation.setPayloadFromString(res,
10              "<response>" +
11              "<user>" + msg.getMessageProperty(HttpConstants.USERNAME) + "</user>" +
12              "<roles>" + msg.getMessageProperty(HttpConstants.USERROLES) + "</roles>" +
13              "<method>" + msg.getMessageProperty(HttpConstants.METHOD) + "</method>" +
14              "<uri>" + msg.getDestinationURL() + "</uri>" +
15              "<query>" + msg.getMessageProperty(HttpConstants.QUERY_PARAM_MAP) + "</query>" +
16              "</response>");
17          mediation.sendResponse(res, 200);
18      ]]></u:java>
19    </u:inSequence>
20  </u:target>
21</u:proxy>

Note the in sequence, Java fragment which accesses the incoming requests user and role details to respond back to the client in the mock service.

In Action

To run the example, start the UltraESB sample configuration 103 via the ToolBox or on the command line as follows.

Running the sample

$ cd /opt/ultraesb-2.6.1/bin +
$ ./ultraesb.sh -sample 103

Issuing a request to the URL http://localhost:8280/service/rest-mock?a=1&b=2 from the SOA Toolbox HTTP/S client using Digest authentication as shown below;

toolbox digest auth

When using the SOA Toolbox HTTP/S client;

  1. Specify the service address with the query parameters in the URL

  2. Select the HTTP method to be GET

  3. Select the "Authentication" for authentication details

  4. Check "Digest" to be the authentication mechanism

  5. Specify the username as "asankha"

  6. Specify the password as "adroitlogic"

Click on the "Send" button to invoke this sample and observe the response.

You could also use the web browser to send this request by typing the above URL on the address bar. In that case you will get the authentication window from the browser, for which you need to use "asankha" and "adroitlogic" as the username and password respectively as follows;

authentication required

The mock service will return the following response after authentication;

Response body from the mock service

<response>
  <user>asankha</user>
  <roles>[ROLE_MANAGER, ROLE_USER]</roles>
  <method>GET</method>
  <uri>/service/rest-mock?a=1&b=2</uri>
  <query>{b=2, a=1}</query>
</response>

This demonstrates the use of UltraESB in securing any proxy service with TLS using HTTP Digest authentication. Changing the sample to use Basic authentication is just a matter of commenting the Digest authentication filter while un-commenting the Basic authentication filter of the transport configuration.

Related Samples

Sample Number

Sample Title

110

HTTP Basic, Digest, NTLM and AWS S3 Authentication

204

WS-Security Gateway

In this topic
In this topic
Contact Us