How to pass IS user name and password via HTTP

I have a group called “MyUsers” and I have a service MyService that only allows “MyUsers” to access. I am trying to use http://myServer:5555/invoke/MyFolder:MyService to vall MyService. But it always pops-up a window asking for user name and password (because it is not anonymously accessable). If I type in a valid uname/password who is a member of “MyUsers”, it works well. I am wondering if there is a way to send that uname/password directly so that the pop-up will disappear.

Thanks!

Pls use this URL syntax via http to invoke a service:

http://username:password@myServer:5555/invoke/MyFolder:MyService.

HTH,

Thanks for the reply!

I tried to use
http://Administrator:manage@localhost:5555/invoke/Test:TestService
and the browser is busy infinitely(blank page, with the window logo spinning and hourglass mouse pointer if I put the pointer on the title bar). I also tried http://Administrator:manage@localhost:5555 and got the same result. Do I need to do some settings to enable something?

Thanks again!

Sherman

I believe there is no extra settings required.

Have you tried using with normal username which have Administrator ACL rights, instead of Administrator a/c.

> Pls use this URL syntax via http to invoke a service:
>
> http://username:password@myServer:5555/invoke/MyFolder:MyService.

RMG and Sherman - Avoid this practise as it is insecure and Microsoft is considering removing support for such URLs from IE:
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
Also see:
http://www.securityfocus.com/archive/1/352485/2004-01-31/2004-02-06/0
It’s easy to make mistakes with this - I remember once getting a internal transaction report forwarded by an external partner with his username/passwords embedded in the report’s URLs – a security hole.

Instead, consider setting the service to the ‘Anonymous’ ACL. (You will need to set the ACL manually on all servers with this package). This means anyone can invoke the service with no password. If that is not feasible, just get your user’s to use the browser’s password manager, or you can consider client side (browser) certificates.

Sonam,
I totally agree with you.

Because Sherman wants the URL Syntax having with user/pwd ,so i replied it.

Regards,

Thanks for all your replies!

My client is using .Net as the posting HTTPS client. There is a class called webRequest which can wrap up the uname/password in an authentication header. I will do some experiment and post the result.

If this can work, then we can pass the password over SSL since my server is an HTTPS server.

By the way, nice article about WMTN Receive, Sonam. If you are in US and providing consulting service, I would pay $250 per hour to have you on site.

I am a registered user now.

RMG - good to know we agree man.

Sherman - Thanks for the complements and glad to know something I wrote helped. However, I work full time for Corporate Express Australia - other side of the world.

Sonam,

its correct to add the service as a anonymous ACL. but what if i want to invoke service with some particular userid passwd. and i dont want the popup window or any login window. is it not possible in wM to call service and pass the userid passwd also as a part of the query string?
any help will be appreciated

Deepak,

If so set up an ACL for that particular user who ever wants to invoke the service.This can be accomplished using the IS/Admin webpage Security/ACLs page.

HTH,

RMG,

ok…but still i need to login into the IS right? and while logging in i will get that pop up window that i want to avoid. i want to invoke the service from say a batch program which will let me login into IS and invoke the service also. something like
http://localhost:5555/invoke/package.folder:service?username=Administrator&password=manage
but alas this does not work!!!
Thanks for replying

Guys - why not use http basic auth as a way to pass user credentials?

Hello Deepak,

We have done quite a bit of work on this. What I would suggest is that you pass the user name and password as cookies (provided you are in the same domain and of course encrypted). Then use the webMethods tomcat form logon. Within the form you can retrieve the cookies and set it to user name and password and do an auto-submit. Then the user will be logged onto to the webMethods IS, with the user and password. Even though this may sound complicated (and believe me it is), we could not find a simpler way to bypass the popup. If any of you have a simpler solution please let me know.

-Rajesh Rao

Hi Rajesh:

As I wrote earlier in this thread, X.509 would the most “correct” solution. But your solution is quite an innovative.

Some suggestions: to avoid storing the username and password on the user’s machine, one can associate a random cookie with the username and password on the server(perhaps using the repo). This could then be looked up when the cookie is presented, and then the auto login can be completed. Storing the password in cleartext in the repo is still a hack but is required since there is no easy way to retrive the user’s password on the server. At least the credentials get on the server side now.

Also, it should be possible to avoid Tomcat… the archives should have a Java snippet that sends back arbitrary HTTP response headers – you can use it to send a Set-Cookie header. The service pub.flow:getTransportInfo will let you read the cookie headers from Flow.

Example cookies:
#response HTTP header used to set cookie on client
Set-Cookie: mycookie=random123; path=/;
#Subsequent client request header containing cookie
Cookie: mycookie=random123

Maybe a small java client can be an option? Just use the class com.wm.app.b2b.client.Context to create a connection to the server and invoke the service you want:

Context context = new Context();
context.connect(“localhost:5555”, “Administrator”, “manage”);
context.invoke(“MyFolder”, “MyService”);
context.disconnect();

Hello all, I see quite some innovative ideas and solutions which are nice. Is there any webmethods recommended way of doing it?

Hello all,
we are making some performance tests and we experienced that the IS server is working much faster when the ACL list setting for the service is Anonymous and we don’t send the authentication header in the HTTP call to the service (server:port/invoke/servicename).

Does anyone experienced the same effect?
I’d like to know if for performance reason can be reasonable to consider to open the server to all the calls and consider other security tools (firewall or port settings).

Thanks for replying.

Hi,
I have a “myfile.wsdl” file which I am able to access using http://localhost:5555/Wmroot/myfile.wsdl after I type in the username password in the pop-up window. This pop up I am not able to bypass. If I use http://Administrator:manage@localhost:5555/Wmroot/myfile.wsdl I have the same problem as Sherman said in the start of this thread “The browser is busy infinitely(blank page, with the window logo spinning and hourglass mouse pointer if I put the pointer on the title bar).”
Sherman, did u find a solution for this? I am not invoking any service, just accessign my wsdl file using http.
Best regards,
RD

If you want to access your file not as a service you should use the pub dir of the package.