Issue Details (XML | Word | Printable)

Key: XMLRPC-102
Type: Bug Bug
Status: Closed Closed
Resolution: Duplicate
Priority: Minor Minor
Assignee: Jochen Wiedmann
Reporter: Dave Pederson
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
XML-RPC

Basic username and password don't get sent to the Servlet

Created: 12/Aug/06 02:37 AM   Updated: 05/Oct/06 09:02 PM
Component/s: Source
Affects Version/s: 3.0rc1
Fix Version/s: None

Time Tracking:
Not Specified

Environment: Tested issue on Ubutu Linux Dapper Drake x86 and OS X 10.4.7 on a MacBook Pro
Issue Links:
Duplicate
 

Resolution Date: 18/Aug/06 07:15 PM


 Description  « Hide
Username and password authentication are not working with the WebServer class. An example is to extend PropertyHandlerMapping.AuthenticationHandler and implement (here is just an example) the following method:

public boolean isAuthorized(XmlRpcRequest pRequest)
{
    if (pRequest.getConfig() instanceof RequestData)
    {
        RequestData data = (RequestData) pRequest.getConfig();
        System.out.println("username = "+data.getBasicUserName());
        System.out.println("password = "+data.getBasicPassword());
    }
}

This class is then instantiated and set as the authentication handler in the WebServer's PropertyHandlerMapping when the WebServer is created and started. Then, on the client side, I set the username and password in the configuration as seen below:

XmlRpcClientConfigImpl config = new XmlRpcClientConfigImpl();
config.setServerUrl("http://127.0.0.1:8080/xmlrpc");
config.setBasicUserName("adst-test");
config.setBasicPassword("adst-test#@!");
XmlRpcClient client = new XmlRpcClient();
client.setConfig(config);
Object[] params = new Object[]{new Integer(1), new HashMap()};
Map result = (Map) client.execute("AssignmentService.getAssignees", params);

The remote method call executes successfully, however, the System.out statements always reveals the following on the server:

username = null
password = null

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Dave Pederson added a comment - 14/Aug/06 08:07 PM
I have found that the issue in question occurs in the HttpUtils.parseAuthorization method. The problem is that it never parses the encoded information which needs to be set in the configuration object passed. I have found a work-around if anyone is interested (you basically implement your own parseAuthorization method):

Create two sub-classes. One that extends XmlRpcHttpRequestConfigImpl and another that extends XmlRpcServlet. Here an example of a class that extends XmlRpcHttpRequestConfigImpl:

import javax.servlet.http.HttpServletRequest;
import org.apache.ws.commons.util.Base64;
import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;

public class MyHttpRqstConfig extends XmlRpcHttpRequestConfigImpl
{
    public MyHttpRqstConfig(HttpServletRequest request)
    {
        setConfig(request);
    }
    
    private void setConfig(HttpServletRequest request)
    {
        parseAuthorization(request.getHeader("Authorization"));
    }

    private void parseAuthorization(String encoded)
    {
        if (encoded == null)
        {
            return;
        }
        int index = encoded.indexOf(' ');
        if (index < 0)
        {
            return;
        }
        index++;
        String auth = encoded.substring(index, encoded.length());
        try
        {
            byte[] decoded = Base64.decode(auth.toCharArray(), 0, auth.length());
            String str = new String(decoded);
            int col = str.indexOf(':');
            if (col >= 0)
            {
                String username = str.substring(0, col);
                super.setBasicUserName(username);
                String password = str.substring(col+1);
                super.setBasicPassword(password);
            }
        }
        catch (Throwable ignore) {}
    }
}

Then, override the following method in your servlet implementation:

protected XmlRpcServletServer newXmlRpcServer(ServletConfig pConfig) throws XmlRpcException
{
    return new XmlRpcServletServer()
    {
        protected XmlRpcHttpRequestConfigImpl newConfig(HttpServletRequest request)
        {
            return new MyHttpRqstConfig(request);
        }
    };
}

Now you can access the username and password from your AuthenticationHandler class

public boolean isAuthorized(XmlRpcRequest request)
{
    MyHttpRqstConfig config = (MyHttpRqstConfig) request.getConfig();
    return "foo".equals(config.getBasicUserName()) && "bar".equals(config.getBasicPassword());
}

I have tested the above concepts from running a custom XmlRpcServlet within the ServletWebServer class and from within a Tomcat servlet container. Hope this helps someone.

[ Permlink | « Hide ]
Jochen Wiedmann added a comment - 18/Aug/06 07:14 PM
Having worked on the Authorization issues yesterday, I presume that this bug is in fact a duplicate of XMLRPC-104. In other words, the missing credentials are caused by the NullPointerException in HttpUtils.parseAuthorization().
Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators