When IS handles a request, it first checks authentication and rejects the request if authentication is invalid. This is true even if the IS service being invoked is set to use the Anonymous ACL.
In the example below, SomeAnonymousService uses the Anonymous ACL. But incorrect HTTP Basic Authentication is presented (wrong/wrong). So IS kills the request and returns 401/Invalid Credentials.
Is there a way to convince IS to ignore âbadâ authentication? This is for a service which must always run, so that it can send back a formatted XML document.
Basically, this is to make an IS service behave similar to this Ariba.com service.
$ curl -X POST https://service.ariba.com/service/transaction/cxml.asp -u wrong:wrong -d '<cXML><Request/></cXML>'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cXML SYSTEM "cXML.dtd">
<cXML timestamp="2021-09-01T00:44:22-07:00" payloadID="1630482262501-2228299194814794657@10.162.97.208">
<Response>
<Status code="406" text="Not Acceptable">The document could not be parsed: Premature end of document while looking for credentials [ANCLS-125040007]</Status>
</Response>
</cXML>
If IS overlooks an invalid credentials issue, itâs a security hole - Iâm not aware of any such feature for this and I donât think this will be provided even if you request this feature.
I wonât recommend Anonymous ACL either, unless you absolutely must have it and the environment is fully closed.
Hi Sonam,
As Kasi mentioned itâs not a good idea to globally ignore invalid credentials. You could however add a custom JAAS login module to Integration Server and in your module, you can make Authentication to succeed and return Default user. This will make sure that the request gets routed to your service and in your service, you could compose and send the XML reply back.
For more information about adding custom JAAS login module to Integration Server, refer to the IS Administrators Guide.
for the case you need anonymous access to your service there shouldn´t be any credentials in the request.
When there are credentials in the request, I agree with Kasi and Senthil that they should be either correct or that the IS rejects the request with âInvalid Credentialsâ for security reasons.
Thanks @Senthil â yes, the âcustom JAAS login module to Integration Serverâ seems to be just what Iâd need to fulfill this requirement.
Thanks @Holger_von_Thomsen and @Venkata_Kasi_Viswanath_Mugada1 â good points all, and I agree ignoring bad credentials is bad practise. But I intend only for IS to ignore credentials â I still intend authenticating at the service code level.
This approach is needed since ISâs default HTTP 401 doesnât cut it. Iâm told the Ariba cXML protocol requires a fully-formatted XML response under all conditions, including failed authentication. So the IS service code needs to execute, regardless of credentials, if only to send back XML similar to this:
We all agree if the credentials are bad, the call should be rejected. But this rejection occurs even when the credentials are good. For Anonymous ACL services credentials are not necessary but when valid and present, should be allowed â but IS rejects those too.
My reply was for the original post where incorrect credentials were used, for a deliberate test.
Now, IS does throw an error even for valid credentials, but only if the source application doesnât use pre-emptive authentication. However, the request is still handled but an error is logged for the first auth try. You can test this out via SOAP UI, that has this setting. Perhaps this resolves the issue you highlight, Rob.
If itâs not about pre-emptive auth, then I havenât come across this issue. I will test it out.
I trust you have been well.