I have a group called “MyUsers” and I have a service MyService that only allows “MyUsers” to access. I am trying to use [url]http://myServer:5555/invoke/MyFolder:MyService[/url] to vall MyService. But it always pops-up a window asking for user name and password (because it is not anonymously accessable). If I type in a valid uname/password who is a member of “MyUsers”, it works well. I am wondering if there is a way to send that uname/password directly so that the pop-up will disappear.

Thanks!

Pls use this URL syntax via http to invoke a service:

http://username:password@myServer:5555/invoke/MyFolder:MyService.

HTH,

Thanks for the reply!

I tried to use
http://Administrator:manage@localhost:5555/invoke/Test:TestService
and the browser is busy infinitely(blank page, with the window logo spinning and hourglass mouse pointer if I put the pointer on the title bar). I also tried http://Administrator:manage@localhost:5555 and got the same result. Do I need to do some settings to enable something?

Thanks again!

Sherman

I believe there is no extra settings required.

Have you tried using with normal username which have Administrator ACL rights, instead of Administrator a/c.

> Pls use this URL syntax via http to invoke a service:
>
> [url]http://username:password@myServer:5555/invoke/MyFolder:MyService[/url].

RMG and Sherman - Avoid this practise as it is insecure and Microsoft is considering removing support for such URLs from IE:
[url=“Microsoft Support”]Microsoft Support
Also see:
[url=“Bugtraq”]Bugtraq
It’s easy to make mistakes with this - I remember once getting a internal transaction report forwarded by an external partner with his username/passwords embedded in the report’s URLs – a security hole.

Instead, consider setting the service to the ‘Anonymous’ ACL. (You will need to set the ACL manually on all servers with this package). This means anyone can invoke the service with no password. If that is not feasible, just get your user’s to use the browser’s password manager, or you can consider client side (browser) certificates.

Sonam,
I totally agree with you.

Because Sherman wants the URL Syntax having with user/pwd ,so i replied it.

Regards,

Thanks for all your replies!

My client is using .Net as the posting HTTPS client. There is a class called webRequest which can wrap up the uname/password in an authentication header. I will do some experiment and post the result.

If this can work, then we can pass the password over SSL since my server is an HTTPS server.

By the way, nice article about WMTN Receive, Sonam. If you are in US and providing consulting service, I would pay $250 per hour to have you on site.

I am a registered user now.

RMG - good to know we agree man.

Sherman - Thanks for the complements and glad to know something I wrote helped. However, I work full time for Corporate Express Australia - other side of the world.

Sonam,

its correct to add the service as a anonymous ACL. but what if i want to invoke service with some particular userid passwd. and i dont want the popup window or any login window. is it not possible in wM to call service and pass the userid passwd also as a part of the query string?
any help will be appreciated

Deepak,

If so set up an ACL for that particular user who ever wants to invoke the service.This can be accomplished using the IS/Admin webpage Security/ACLs page.

HTH,

RMG,

ok…but still i need to login into the IS right? and while logging in i will get that pop up window that i want to avoid. i want to invoke the service from say a batch program which will let me login into IS and invoke the service also. something like
[url]http://localhost:5555/invoke/package.folder:service?username=Administrator&password=manage[/url]
but alas this does not work!!!
Thanks for replying

Guys - why not use http basic auth as a way to pass user credentials?

Hello Deepak,

We have done quite a bit of work on this. What I would suggest is that you pass the user name and password as cookies (provided you are in the same domain and of course encrypted). Then use the webMethods tomcat form logon. Within the form you can retrieve the cookies and set it to user name and password and do an auto-submit. Then the user will be logged onto to the webMethods IS, with the user and password. Even though this may sound complicated (and believe me it is), we could not find a simpler way to bypass the popup. If any of you have a simpler solution please let me know.

-Rajesh Rao

Hi Rajesh:

As I wrote earlier in this thread, X.509 would the most “correct” solution. But your solution is quite an innovative.

Some suggestions: to avoid storing the username and password on the user’s machine, one can associate a random cookie with the username and password on the server(perhaps using the repo). This could then be looked up when the cookie is presented, and then the auto login can be completed. Storing the password in cleartext in the repo is still a hack but is required since there is no easy way to retrive the user’s password on the server. At least the credentials get on the server side now.

Also, it should be possible to avoid Tomcat… the archives should have a Java snippet that sends back arbitrary HTTP response headers – you can use it to send a Set-Cookie header. The service pub.flow:getTransportInfo will let you read the cookie headers from Flow.

Example cookies:
#response HTTP header used to set cookie on client
Set-Cookie: mycookie=random123; path=/;
#Subsequent client request header containing cookie
Cookie: mycookie=random123

Maybe a small java client can be an option? Just use the class com.wm.app.b2b.client.Context to create a connection to the server and invoke the service you want:

Context context = new Context();
context.connect(“localhost:5555”, “Administrator”, “manage”);
context.invoke(“MyFolder”, “MyService”);
context.disconnect();

Hello all, I see quite some innovative ideas and solutions which are nice. Is there any webMethods recommended way of doing it?

Hello all,
we are making some performance tests and we experienced that the IS server is working much faster when the ACL list setting for the service is Anonymous and we don’t send the authentication header in the HTTP call to the service (server:port/invoke/servicename).

Does anyone experienced the same effect?
I’d like to know if for performance reason can be reasonable to consider to open the server to all the calls and consider other security tools (firewall or port settings).

Thanks for replying.

Hi,
I have a “myfile.wsdl” file which I am able to access using [url]http://localhost:5555/Wmroot/myfile.wsdl[/url] after I type in the username password in the pop-up window. This pop up I am not able to bypass. If I use http://Administrator:manage@localhost:5555/Wmroot/myfile.wsdl I have the same problem as Sherman said in the start of this thread “The browser is busy infinitely(blank page, with the window logo spinning and hourglass mouse pointer if I put the pointer on the title bar).”
Sherman, did u find a solution for this? I am not invoking any service, just accessign my wsdl file using http.
Best regards,
RD

If you want to access your file not as a service you should use the pub dir of the package.

Hi,
I am able to access this file. but the username password prompt does pop up. how to bypass it is my question.
Best regards,
RD

The ACLs of a file under the /pub directory of an IS package are controlled by a .access file that needs to be in the same directory as the file. The format is

filename acl

Example:
MyPackage/pub
myfile.xml
.access

.access contents:
myfile.xml Anonymous

Url to access:
http://host:port/MyPackage/myfile.xml

HTH,
Fred

Is there a way to pass/use webMethods ACL’s to view .dsp pages in the /pub dir of a flow service? I am using DSP’s to call flow services and I CAN control the flow services by ACL’s but the pages (.dsp) I can’t. Can this .access file call natively the webMethods ACL’s? Finally, what is the format for the .access file on Windows - Can’t create a file with a ‘.’ infront with ms windows.

Thanks!

Nigel,

You cannot use the .access file to pass an ACL to the invoked service, you can only define the required ACL to show the files in the pub folder. Indeed you cannot create .access files from the new->text file context menu in windows explorer. However, text editors (notepad, textpad etc) do allow you to save a file as “.access”.

Regards,

Koen

“… invoked service, you can only define the required ACL to show the files in the pub folder.”

How is this done? Where can I define the required ACL and how do I link the .dsp files to that ACL?

Thanks!

Nigel,

The .access file looks like:

[filename] [ACL]

For instance, if you have an index.dsp which you want to protect with the Administrators ACL, the .access file would have a line:
index.dsp Administrators

You can also use wildcards in the file name.

Regards,

Koen

After reloading the package, it worked.

Much appreciated!