I have a group called “MyUsers” and I have a service MyService that only allows “MyUsers” to access. I am trying to use [url]http://myServer:5555/invoke/MyFolder:MyService[/url] to vall MyService. But it always pops-up a window asking for user name and password (because it is not anonymously accessable). If I type in a valid uname/password who is a member of “MyUsers”, it works well. I am wondering if there is a way to send that uname/password directly so that the pop-up will disappear.
I tried to use http://Administrator:manage@localhost:5555/invoke/Test:TestService
and the browser is busy infinitely(blank page, with the window logo spinning and hourglass mouse pointer if I put the pointer on the title bar). I also tried http://Administrator:manage@localhost:5555 and got the same result. Do I need to do some settings to enable something?
RMG and Sherman - Avoid this practise as it is insecure and Microsoft is considering removing support for such URLs from IE:
[url=“Microsoft Support”]Microsoft Support
Also see:
[url=“Bugtraq”]Bugtraq
It’s easy to make mistakes with this - I remember once getting a internal transaction report forwarded by an external partner with his username/passwords embedded in the report’s URLs – a security hole.
Instead, consider setting the service to the ‘Anonymous’ ACL. (You will need to set the ACL manually on all servers with this package). This means anyone can invoke the service with no password. If that is not feasible, just get your user’s to use the browser’s password manager, or you can consider client side (browser) certificates.
My client is using .Net as the posting HTTPS client. There is a class called webRequest which can wrap up the uname/password in an authentication header. I will do some experiment and post the result.
If this can work, then we can pass the password over SSL since my server is an HTTPS server.
By the way, nice article about WMTN Receive, Sonam. If you are in US and providing consulting service, I would pay $250 per hour to have you on site.
Sherman - Thanks for the complements and glad to know something I wrote helped. However, I work full time for Corporate Express Australia - other side of the world.
its correct to add the service as a anonymous ACL. but what if i want to invoke service with some particular userid passwd. and i dont want the popup window or any login window. is it not possible in wM to call service and pass the userid passwd also as a part of the query string?
any help will be appreciated
If so set up an ACL for that particular user who ever wants to invoke the service.This can be accomplished using the IS/Admin webpage Security/ACLs page.
ok…but still i need to login into the IS right? and while logging in i will get that pop up window that i want to avoid. i want to invoke the service from say a batch program which will let me login into IS and invoke the service also. something like
[url]http://localhost:5555/invoke/package.folder:service?username=Administrator&password=manage[/url]
but alas this does not work!!!
Thanks for replying
We have done quite a bit of work on this. What I would suggest is that you pass the user name and password as cookies (provided you are in the same domain and of course encrypted). Then use the webMethods tomcat form logon. Within the form you can retrieve the cookies and set it to user name and password and do an auto-submit. Then the user will be logged onto to the webMethods IS, with the user and password. Even though this may sound complicated (and believe me it is), we could not find a simpler way to bypass the popup. If any of you have a simpler solution please let me know.
As I wrote earlier in this thread, X.509 would the most “correct” solution. But your solution is quite an innovative.
Some suggestions: to avoid storing the username and password on the user’s machine, one can associate a random cookie with the username and password on the server(perhaps using the repo). This could then be looked up when the cookie is presented, and then the auto login can be completed. Storing the password in cleartext in the repo is still a hack but is required since there is no easy way to retrive the user’s password on the server. At least the credentials get on the server side now.
Also, it should be possible to avoid Tomcat… the archives should have a Java snippet that sends back arbitrary HTTP response headers – you can use it to send a Set-Cookie header. The service pub.flow:getTransportInfo will let you read the cookie headers from Flow.
Example cookies: #response HTTP header used to set cookie on client
Set-Cookie: mycookie=random123; path=/; #Subsequent client request header containing cookie
Cookie: mycookie=random123
Maybe a small java client can be an option? Just use the class com.wm.app.b2b.client.Context to create a connection to the server and invoke the service you want:
Hello all,
we are making some performance tests and we experienced that the IS server is working much faster when the ACL list setting for the service is Anonymous and we don’t send the authentication header in the HTTP call to the service (server:port/invoke/servicename).
Does anyone experienced the same effect?
I’d like to know if for performance reason can be reasonable to consider to open the server to all the calls and consider other security tools (firewall or port settings).
Hi,
I have a “myfile.wsdl” file which I am able to access using [url]http://localhost:5555/Wmroot/myfile.wsdl[/url] after I type in the username password in the pop-up window. This pop up I am not able to bypass. If I use http://Administrator:manage@localhost:5555/Wmroot/myfile.wsdl I have the same problem as Sherman said in the start of this thread “The browser is busy infinitely(blank page, with the window logo spinning and hourglass mouse pointer if I put the pointer on the title bar).”
Sherman, did u find a solution for this? I am not invoking any service, just accessign my wsdl file using http.
Best regards,
RD