[#XMLRPC-102] Basic username and password don't get sent to the Servlet

XML-RPC

Basic username and password don't get sent to the Servlet

Created: 12/Aug/06 02:37 AM Updated: 05/Oct/06 09:02 PM

Return to search

Component/s:

Source

Affects Version/s:

3.0rc1

Fix Version/s:

None

Time Tracking:

Not Specified

Environment:

Tested issue on Ubutu Linux Dapper Drake x86 and OS X 10.4.7 on a MacBook Pro

Issue Links:

Duplicate

This issue duplicates:

~~XMLRPC-104~~ org.apache.xmlrpc.util.HttpUtil.parseAuthorization passes null charset to String(byte[] bytes, String charsetName);

Resolution Date:

18/Aug/06 07:15 PM

Description

« Hide

Username and password authentication are not working with the WebServer class. An example is to extend PropertyHandlerMapping.AuthenticationHandler and implement (here is just an example) the following method:

public boolean isAuthorized(XmlRpcRequest pRequest)
{
    if (pRequest.getConfig() instanceof RequestData)
    {
        RequestData data = (RequestData) pRequest.getConfig();
        System.out.println("username = "+data.getBasicUserName());
        System.out.println("password = "+data.getBasicPassword());
    }
}

This class is then instantiated and set as the authentication handler in the WebServer's PropertyHandlerMapping when the WebServer is created and started. Then, on the client side, I set the username and password in the configuration as seen below:

XmlRpcClientConfigImpl config = new XmlRpcClientConfigImpl();
config.setServerUrl("http://127.0.0.1:8080/xmlrpc");
config.setBasicUserName("adst-test");
config.setBasicPassword("adst-test#@!");
XmlRpcClient client = new XmlRpcClient();
client.setConfig(config);
Object[] params = new Object[]{new Integer(1), new HashMap()};
Map result = (Map) client.execute("AssignmentService.getAssignees", params);

The remote method call executes successfully, however, the System.out statements always reveals the following on the server:

username = null
password = null

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Dave Pederson added a comment - 14/Aug/06 08:07 PM

I have found that the issue in question occurs in the HttpUtils.parseAuthorization method. The problem is that it never parses the encoded information which needs to be set in the configuration object passed. I have found a work-around if anyone is interested (you basically implement your own parseAuthorization method):

Create two sub-classes. One that extends XmlRpcHttpRequestConfigImpl and another that extends XmlRpcServlet. Here an example of a class that extends XmlRpcHttpRequestConfigImpl:

import javax.servlet.http.HttpServletRequest;
import org.apache.ws.commons.util.Base64;
import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;

public class MyHttpRqstConfig extends XmlRpcHttpRequestConfigImpl
{
    public MyHttpRqstConfig(HttpServletRequest request)
    {
        setConfig(request);
    }

    private void setConfig(HttpServletRequest request)
    {
        parseAuthorization(request.getHeader("Authorization"));
    }

    private void parseAuthorization(String encoded)
    {
        if (encoded == null)
        {
            return;
        }
        int index = encoded.indexOf(' ');
        if (index < 0)
        {
            return;
        }
        index++;
        String auth = encoded.substring(index, encoded.length());
        try
        {
            byte[] decoded = Base64.decode(auth.toCharArray(), 0, auth.length());
            String str = new String(decoded);
            int col = str.indexOf(':');
            if (col >= 0)
            {
                String username = str.substring(0, col);
                super.setBasicUserName(username);
                String password = str.substring(col+1);
                super.setBasicPassword(password);
            }
        }
        catch (Throwable ignore) {}
    }
}

Then, override the following method in your servlet implementation:

protected XmlRpcServletServer newXmlRpcServer(ServletConfig pConfig) throws XmlRpcException
{
    return new XmlRpcServletServer()
    {
        protected XmlRpcHttpRequestConfigImpl newConfig(HttpServletRequest request)
        {
            return new MyHttpRqstConfig(request);
        }
    };
}

Now you can access the username and password from your AuthenticationHandler class

public boolean isAuthorized(XmlRpcRequest request)
{
    MyHttpRqstConfig config = (MyHttpRqstConfig) request.getConfig();
    return "foo".equals(config.getBasicUserName()) && "bar".equals(config.getBasicPassword());
}

I have tested the above concepts from running a custom XmlRpcServlet within the ServletWebServer class and from within a Tomcat servlet container. Hope this helps someone.

[ Show » ]

Dave Pederson added a comment - 14/Aug/06 08:07 PM I have found that the issue in question occurs in the HttpUtils.parseAuthorization method. The problem is that it never parses the encoded information which needs to be set in the configuration object passed. I have found a work-around if anyone is interested (you basically implement your own parseAuthorization method): Create two sub-classes. One that extends XmlRpcHttpRequestConfigImpl and another that extends XmlRpcServlet. Here an example of a class that extends XmlRpcHttpRequestConfigImpl: import javax.servlet.http.HttpServletRequest; import org.apache.ws.commons.util.Base64; import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl; public class MyHttpRqstConfig extends XmlRpcHttpRequestConfigImpl { public MyHttpRqstConfig(HttpServletRequest request) { setConfig(request); } private void setConfig(HttpServletRequest request) { parseAuthorization(request.getHeader("Authorization")); } private void parseAuthorization(String encoded) { if (encoded == null) { return; } int index = encoded.indexOf(' '); if (index < 0) { return; } index++; String auth = encoded.substring(index, encoded.length()); try { byte[] decoded = Base64.decode(auth.toCharArray(), 0, auth.length()); String str = new String(decoded); int col = str.indexOf(':'); if (col >= 0) { String username = str.substring(0, col); super.setBasicUserName(username); String password = str.substring(col+1); super.setBasicPassword(password); } } catch (Throwable ignore) {} } } Then, override the following method in your servlet implementation: protected XmlRpcServletServer newXmlRpcServer(ServletConfig pConfig) throws XmlRpcException { return new XmlRpcServletServer() { protected XmlRpcHttpRequestConfigImpl newConfig(HttpServletRequest request) { return new MyHttpRqstConfig(request); } }; } Now you can access the username and password from your AuthenticationHandler class public boolean isAuthorized(XmlRpcRequest request) { MyHttpRqstConfig config = (MyHttpRqstConfig) request.getConfig(); return "foo".equals(config.getBasicUserName()) && "bar".equals(config.getBasicPassword()); } I have tested the above concepts from running a custom XmlRpcServlet within the ServletWebServer class and from within a Tomcat servlet container. Hope this helps someone.

[ Permlink | « Hide ]

Jochen Wiedmann added a comment - 18/Aug/06 07:14 PM

Having worked on the Authorization issues yesterday, I presume that this bug is in fact a duplicate of ~~XMLRPC-104~~. In other words, the missing credentials are caused by the NullPointerException in HttpUtils.parseAuthorization().

Jochen Wiedmann made changes - 18/Aug/06 07:15 PM

Field	Original Value	New Value
Link		This issue duplicates ~~XMLRPC-104~~ [ ~~XMLRPC-104~~ ]

Jochen Wiedmann made changes - 18/Aug/06 07:15 PM

Assignee		Jochen Wiedmann [ jochen@apache.org ]
Resolution		Duplicate [ 3 ]
Status	Open [ 1 ]	Resolved [ 5 ]

Jochen Wiedmann made changes - 05/Oct/06 09:02 PM

Status

Resolved [ 5 ]

Closed [ 6 ]