http authorization issue

[bartbaas]

Good morning,

We seem to have an issue with http authorization on a REST webservice using resource fields for setting username and password.
Can we get the logging to display the header that is being sent?

the logging states:
FINE: Request:
POST https://<..url..>
Content-Type:application/json

{ <..payload..> }
Nov 02, 2022 11:43:08 AM org.apache.http.impl.auth.HttpAuthenticator generateAuthResponse
WARNING: NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
Nov 02, 2022 11:43:08 AM com.ebasetech.ufs.utility.LogHelper debug
FINE: Response:
HTTP/1.0 401 <html><head><title>Error</title></head><body>Unauthorized</body></html>
<..>
Nov 02, 2022 11:43:08 AM com.ebasetech.ufs.utility.LogHelper debug
FINE: Finished calling endpoint: <default>

We are using Basic Authentication and set the two variables in the rest security configuration.
This seems to be working ok in our testenvironment, but not in this integration environment.
Also, we can get a good answer when using curl, and by setting the header explicitly in VerjIO, so I'm thinking we're not building a good header somehow.

Maybe it is a configuration issue with respect to the org.apache.http.impl.auth.HttpAuthenticator library, but I wouldn't know where to look

[bartbaas]

The VerjIO version is 5.11.2 by the way

[Steve]

Hi Bart,

I debugged the Basic Authentication on the rest resource and I could that the &&<fieldname> is being substituted for the field value in for the username and password fields for the Basic Authentication endpoint security.

Verj.io uses Apache HttpClient and you should be able to add a logger to the log42.xml inside:

UserData/Server/apps/ebase/app/ebaseConf/log4j.xml

Add the following Logger to the <Loggers> element. There should be a commented out examples.

<Logger name="org.apache.http" level="ALL" additivity="false">
<AppenderRef ref="Console" />
<AppenderRef ref="File" />
</Logger>

You will need to restart the Verj.io server after adding the Logger. The output should be in the stdout (it maybe the stderr) logs inside the UserData/Server/tomcat/logs directory.

Thanks

Steve

[bartbaas]

Thnx Steve, we'll give that a go, perhaps we will learn something new.

[bartbaas]

Not sure where to find this extra logging, but what we did find: It seems that on this particular webservice, Verjio seems to negotiate the login method before sending the authorization header.

Can you confirm this is the case?

from our logging:
WARNING: NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
Nov 09, 2022 10:42:29 AM com.ebasetech.ufs.utility.LogHelper debug
FINE: Response:
HTTP/1.0 401 <html><head><title>Error</title></head><body>Unauthorized</body></html>
Strict-Transport-Security:max-age=15552000; includeSubDomains; preload&Cache-Control:no-cache, no-store, must-revalidate&Server:JBoss-EAP/7&WWW-Authenticate:Negotiate&Connection:keep-alive&......

[Steve]

Hi Bart,

I believe that Apache HTTP Client does negotiate first.

It might be easier to just set the Authorization Http Header manually using a mapped resource field. Using the server side JavaScript, you could do something like this:

....
importPackage(import java.util);

//set http auth header
fields.auth.value = "Basic " + Base64.getEncoder().encodeToString(new java.lang.String((user + ":" + pwd)).getBytes()) ;

In the REST resource you can add a request header:

Name
Authorization

Value:
&&auth

Map the resource field "auth" to the form field "auth"

I think this will work for you.

Thanks

Steve