About Question enthuware.ocejws.v6.2.302 :

Moderators: Site Manager, fjwalraven

Post Reply
himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

About Question enthuware.ocejws.v6.2.302 :

Post by himaiMinh »

Container (or declarative) basic authentication means configuring the <auth-method> to BASIC in web.xml and configure a specific web container file to some username and password. For example, if the container is Tomcat, we can set tomcat_user.xml like this:
<tomcat-users>
<user username="JohnSmith" password="johnPassword" roles="student"/>
</tomcat-users>


Application basic authentication means:
1. On the server side, programmatically verify the message context's http request header to see if the user name and password are valid.
2. On the client side, programmatically use BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY to set the credentials in the http request header.

Why option 2 says application and container authentication are not the same and application authentication is not the same as Basic authentication?
Both application and container authentication deals with basic authentication.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.302 :

Post by fjwalraven »

Why option 2 says application and container authentication are not the same and application authentication is not the same as Basic authentication?
Both application and container authentication deals with basic authentication.
No, it is either the application handling the authentication or the server (if you use Basic Authentication in the web.xml).

An example of application authentication can be found here:
http://www.mkyong.com/webservices/jax-w ... th-jax-ws/

Regards,
Frits

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.302 :

Post by himaiMinh »

Thanks for the reply.
These are good reference to compare application authentication and container authentication:
http://www.mkyong.com/webservices/jax-w ... th-jax-ws/
http://www.mkyong.com/webservices/jax-w ... ws-tomcat/

In the question, there is a term: "Basic Authentication(container)". Does this term mean container authentication? Or, it means basic authentication only ?

Container authentication's definition is authentication is declarative and authentication data (credentials) are stored in xml file.
Application authentication's definition is authentication is programmatic and credentials are input by a client application. Usually it is done by using BindingProvider and MessageContext.

Basic authentication's definition is authenticating a user by its username/passwords.

Another observation from the code example: I notice that username ("mykong") and password ("123456" are not encoded in the map returned from getRequestContext().
I guess in the exam, most username/password should be encoded before they are put in the map.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.302 :

Post by fjwalraven »

Container authentication's definition is authentication is declarative and authentication data (credentials) are stored in xml file.
No, that is not necessary. It can be stored anyware based on the realm that is used.
Application authentication's definition is authentication is programmatic and credentials are input by a client application. Usually it is done by using BindingProvider and MessageContext.
Also these credentials could be stored in a database.

Basic, in my opinion, means an Authentication based on the username and password. These credentials can be verified by the server or by the application.
I guess in the exam, most username/password should be encoded before they are put in the map.
No, that is not relevant. Encoding doesn't give more protection anyway.

Regards,
Frits

witek_m
Posts: 16
Joined: Sat Jun 09, 2018 12:09 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.302 :

Post by witek_m »

Hello, last 2 answers are not clear for me:
AD. 6 - In the Application authorization case we can set any headers we choose and read it in serwer. In the example shown earlier we have :

Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("Username", Collections.singletonList("mkyong"));
headers.put("Password", Collections.singletonList("password"));
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

so why "When application Authentication is used, the BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY HTTP headers are used" ?

Ad. 5 Basic authentication use Authorization header to pass encoded user and password - it is used if I set BindingProvider options in client or set authentication in soap ui (for example), so why there is "even if" word?

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.302 :

Post by fjwalraven »

Good questions!
so why "When application Authentication is used, the BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY HTTP headers are used" ?
Because you want your application to be portable. Clients will use the properties that are defined in the JAX-WS specs and they are certain that basic authentication works as expected. If they use other properties (like in your example) it is also authentication through your application but not in a JAX-WS defined way.
Ad. 5 Basic authentication use Authorization header to pass encoded user and password - it is used if I set BindingProvider options in client or set authentication in soap ui (for example), so why there is "even if" word?
Basic authentication credentials in JAX-WS are send through the BindingProvider properties (you can create a client and send these headers, you won't see any Athorization header). If you use Basic authentication provided by a servlet container, it will (also) use the Authorization header.

Does this make it clearer?

Regards,
Frits

witek_m
Posts: 16
Joined: Sat Jun 09, 2018 12:09 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.302 :

Post by witek_m »

Yes, great, thank you

Post Reply

Who is online

Users browsing this forum: No registered users and 28 guests