Can Integration Server ignore 'bad' authentication?

When IS handles a request, it first checks authentication and rejects the request if authentication is invalid. This is true even if the IS service being invoked is set to use the Anonymous ACL.

In the example below, SomeAnonymousService uses the Anonymous ACL. But incorrect HTTP Basic Authentication is presented (wrong/wrong). So IS kills the request and returns 401/Invalid Credentials.

$ curl -X POST http://<IS>:5555/invoke/SomeAnonymousService -u wrong:wrong -d '<cXML><Request/></cXML>' --verbose
...
> Authorization: Basic d3Jvbmc6d3Jvbmc=
...
< HTTP/1.1 401 [ISS.0084.9001] Invalid credentials

Is there a way to convince IS to ignore ‘bad’ authentication? This is for a service which must always run, so that it can send back a formatted XML document.

Basically, this is to make an IS service behave similar to this Ariba.com service.

$ curl -X POST https://service.ariba.com/service/transaction/cxml.asp -u wrong:wrong -d '<cXML><Request/></cXML>'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cXML SYSTEM "cXML.dtd">

<cXML timestamp="2021-09-01T00:44:22-07:00" payloadID="1630482262501-2228299194814794657@10.162.97.208">

    <Response>

        <Status code="406" text="Not Acceptable">The document could not be parsed: Premature end of document while looking for credentials [ANCLS-125040007]</Status>

    </Response>
</cXML>

If IS overlooks an invalid credentials issue, it’s a security hole - I’m not aware of any such feature for this and I don’t think this will be provided even if you request this feature.

I won’t recommend Anonymous ACL either, unless you absolutely must have it and the environment is fully closed.

KM

1 Like

Hi Sonam,
As Kasi mentioned it’s not a good idea to globally ignore invalid credentials. You could however add a custom JAAS login module to Integration Server and in your module, you can make Authentication to succeed and return Default user. This will make sure that the request gets routed to your service and in your service, you could compose and send the XML reply back.

For more information about adding custom JAAS login module to Integration Server, refer to the IS Administrators Guide.

Regards,
-Senthil

2 Likes

Hi Sonam,

for the case you need anonymous access to your service there shouldn´t be any credentials in the request.
When there are credentials in the request, I agree with Kasi and Senthil that they should be either correct or that the IS rejects the request with “Invalid Credentials” for security reasons.

Regards,
Holger

Thanks @Senthil – yes, the ‘custom JAAS login module to Integration Server’ seems to be just what I’d need to fulfill this requirement.

Thanks @Holger_von_Thomsen and @Venkata_Kasi_Viswanath_Mugada1 – good points all, and I agree ignoring bad credentials is bad practise. But I intend only for IS to ignore credentials – I still intend authenticating at the service code level.

This approach is needed since IS’s default HTTP 401 doesn’t cut it. I’m told the Ariba cXML protocol requires a fully-formatted XML response under all conditions, including failed authentication. So the IS service code needs to execute, regardless of credentials, if only to send back XML similar to this:

$ curl -X POST http://<IS>:5555/invoke/SomeAnonymousService -u wrong:wrong -d '<cXML>...' --verbose
...
> Authorization: Basic d3Jvbmc6d3Jvbmc=
...
< HTTP/1.1 200/OK
...
<cXML timestamp="2021-09-01T00:44:22-07:00" payloadID="1630482262501-2228299194814794657@10.162.97.208">
    <Response>
        <Status code="401" text="Access Denied">Bad credentials...`

We all agree if the credentials are bad, the call should be rejected. But this rejection occurs even when the credentials are good. For Anonymous ACL services credentials are not necessary but when valid and present, should be allowed – but IS rejects those too.

My reply was for the original post where incorrect credentials were used, for a deliberate test.

Now, IS does throw an error even for valid credentials, but only if the source application doesn’t use pre-emptive authentication. However, the request is still handled but an error is logged for the first auth try. You can test this out via SOAP UI, that has this setting. Perhaps this resolves the issue you highlight, Rob.

If it’s not about pre-emptive auth, then I haven’t come across this issue. I will test it out.

KM

I checked this again. Apparently I misinterpreted something. It is behaving as expected. Sorry for the distraction.

@reamon - No distraction at all, thanks for checking this out Rob.

Mostly, I’m delighted to see you after many years. :slight_smile: I trust you have been well.

Good to see you in the forums again – always fun to see familiar names! :grinning: