On the server side. the UsernameToken is processed if its there, you don't actually need to configure anything to use it.

If you are also using JBossWS for a client then you just need to add the "username" tag to your jboss-wsse-client.xml

<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
 <config>
 <username/>
 </config>
</jboss-ws-security>

Hi Jason,

what about passwords, the nonce and timestamp elements which are also part of the Username token profile 1.0 spec?

And last: what username is added to the soap header. Where does it come from?
We need to support the username token profile standard and the clients are not alwasy JBoss Appservers but also .Net and Oracle

Thanks in advance
Karl

I did some research in the JBoss WS 103 Sources.
It appears that the username token profile is partly supported.
The user and password are added to the soap header when the password are added to the call or proxy object
However password type attribute and password encoding is not support.
According to the basic security profile the type attribute is required.
Password disgest is also very nice to have.

will these functions be added in the near future?

Any update on this? Has a JIRA todo been created? I'm running into the same problem. I'd like to base64(SHA1(nonce + createdTimeStamp + password)) and send that value in the SOAP Header as part of the WSSE UsernameToken. However, JBoss appears to not be doing anything with this when the actual authentication occurs on the server-side....In order to get WSSE auth working, I have to send a clear password as the value of the 'password' element in the Security header.

Is full WSSE functionality something that has to be implemented in a LoginModule, or will this be implemented in a later rev of JbossWS?

David

Any update is welcome!
I do need same features here.

Luis Amaral.

I added a feature request

http://jira.jboss.org/jira/browse/JBWS-1296

You are also welcome to have a go.

"kdeboer" wrote:
I did some research in the JBoss WS 103 Sources.
It appears that the username token profile is partly supported.
The user and password are added to the soap header when the password are added to the call or proxy object
However password type attribute and password encoding is not support.
According to the basic security profile the type attribute is required.
Password disgest is also very nice to have.

will these functions be added in the near future?

_Revisiting username token profile_
=======================

I try to understand and use JBossws 1.0.3 with username token profile. The objective is to use WSS 1.0 username token for an existing Web services, since we are not ready with key management infrastructure (for X.509v3 cert) yet.

Approach - using simpleSignTestCase:
========================
1. Use jbossws wss example
Replace the existing x.509v3 cert profile with username token profile
in both jboss-wsse-server.xml and jboss-wsse-client.xml

e.g. jboss-wsse-server.xml

<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
<key-store-file>WEB-INF/wsse.keystore</key-store-file>
<key-store-password>jbossws</key-store-password>
<trust-store-file>WEB-INF/wsse.truststore</trust-store-file>
<trust-store-password>jbossws</trust-store-password>



</jboss-ws-security>

e.g. jboss-wsse-client.xml
<?xml version="1.0" encoding="UTF-8"?>

<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">



</jboss-ws-security>

2. Verify if the SOAP header contains username and password

e.g. under output/samples, we can't see any SOAP header containing WSS 1.0 username token profile

<result xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>Kermit

But if we use X.509v3 cert profile, I can find WSS 1.0 cert profile in the SOAP header.

3. add user and password in the client stub, since I read that
JBossWS does not support with user and password attributes, and that JBossWS username token profile still requires using keystore password (an implementation constraint) as per this email thread.

Issues Encountered
=============
1. wss example running with username profile is OK without error, but I couldn't find the username/password in the SOAP header (as in output/log)

2. add user and password in WS stub
but I can't see any user and password in the SOAP header

e.g. in SimpleSignTestCase.java:

Hello port = (Hello)service.getPort(Hello.class);
Stub stub = (Stub)port;
stub._setProperty(Stub.USERNAME_PROPERTY, "manager");
stub._setProperty(Stub.PASSWORD_PROPERTY, "manager");

((Stub)port)._setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY, "http://localhost:8080/jbossws-samples-wssecurity-sign");
return port;

3. jboss server log/console does not show any helpful /debugging information

e.g. jboss console shows:

M0346:8080/jbossws-samples-wssecurity-sign
10:16:15,937 INFO [ClientDeployer] Client ENC bound under: jbossws-client
10:16:16,797 INFO [ClientDeployer] Removing client ENC from: jbossws-client
10:16:16,812 INFO [ServiceEndpointManager] WebService stopped: http://MTVL04AL3
M0346:8080/jbossws-samples-wssecurity-sign
10:16:16,812 WARN [WSDLFilePublisher] Cannot delete published wsdl document: fi
le:/C:/tools/jboss/server/default/data/wsdl/jbossws-samples-wssecurity-sign.war/
HelloService.wsdl
10:16:16,812 INFO [TomcatDeployer] undeploy, ctxPath=/jbossws-samples-wssecurit
y-sign, warUrl=.../tmp/deploy/tmp3642jbossws-samples-wssecurity-sign-exp.war/
10:16:17,703 INFO [TomcatDeployer] deploy, ctxPath=/jbossws-samples-store-pass-
encrypt, warUrl=.../tmp/deploy/tmp3646jbossws-samples-store-pass-encrypt-exp.war
/
10:16:17,812 INFO [WSDLFilePublisher] WSDL published to: file:/C:/tools/jboss/s
erver/default/data/wsdl/jbossws-samples-store-pass-encrypt.war/HelloService.wsdl

10:16:17,906 INFO [ServiceEndpointManager] WebService started: http://MTVL04AL3


Need help:
=======
1. How could I use WSS 1.0 username token in the JBossWS example?
- I use and the WSS example runs without error, but I can't find the username token profile in the header
- I snoop the SOAP traffic using TCPSpy, but still couldn't find the username token in the SOAP header

2. could anyone verify whether I miss any step in the configuration?

Thanks.

Further to the last email thread:

1. A colleague of mine shows me the source code UsernameToken.java from JBossWS 1.0.3 GA. it looks like UsernameToken(Element) method does read the "Username" and "Password" from the SOAP message.

e.g.
public UsernameToken(Element element) throws WSSecurityException {
this.doc = element.getOwnerDocument();
String id = element.getAttributeNS(Constants.WSU_NS, Constants.ID);
...
Element child = Util.getFirstChildElement(element);
if (child == null || ! Constants.WSSE_NS.equals(child.getNamespaceURI()) || ! "Username".equals(child.getLocalName()))

throw new WSSecurityException("Username child expected in UsernameToken element");
this.username = XMLUtils.getFullTextChildrenFromElement(child);
child = Util.getNextSiblingElement(child);
...
}


I've tried the following permutation of changes, but I still can't make the WSS 1.0 username token profile work in JBossWS.

1. in both jboss-wsse-server.xml and jboss-wsse-client.xml, specify , e.g.





2. in the jboss-wsse*.xml, specify and (derived from the source code UsernameToken.java):

manager
manager


3. Specify username and password in the SOAP stub
(as per advice from the previous email threads)

- refer to previous reply

4. Control test - Don't specify anything in the jboss-wsse*.xml. Don't add any user or password in the SOAP stub. This is a control test, to ensure whether or has made any difference.
- no difference when running the wss samples.


Any advice?

Thanks.

some texts are missing in previous thread.

I've tried:
1. in both jboss-wsse*.xml, specify


2. in both jboss-wsse*.xml, specify
manager
manager

- inferred from the UsernameToken.java above

3. Specify user and password in the SOAP stub
(as per advice from previous email threads)

- refer to previous reply

4. control test
- don't specify any tag or attribute within
- This has no difference when running the samples, i.e. no SOAP wsse header, no encryption

any advice?

thanks.

Please use the code tag when pasting xml.

In order to enable sending the username token, you have to add the "username" tag to your jboss-wsse-client.xml config.

<jboss-ws-security>
 <config>
 <username/>
 </config>
</jboss-ws-security>

In my previous replies, I've already used your sample config file
in the jboss-wsse-client.xml (and jboss-wsse-server.xml), but jbossws does not render the wsse username token profile.

How I re-do the testing:
1. in the 3 samples in jbossws wssecurity, i use your example in the two *wsse*.xml file:

<?xml version="1.0" encoding="UTF-8"?>

<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
 <config>
 <username />
 </config>
</jboss-ws-security>

<jboss-ws-security>
<config />
</jboss-ws-security>

7. how should I capture or examine the SOAP header in order to
look for wsse usernametoken element? Is there any log file or option to
log the SOAP header?

 <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
 <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
 <param name="Target" value="System.out"/>
 <param name="Threshold" value="INFO"/>

 <layout class="org.apache.log4j.PatternLayout">
 <!-- The default pattern: Date Priority [Category] Message\n -->
 <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>
 </layout>
 </appender>

I've turned on the DEBUG mode in the log4j, and find:

17:11:54,304 DEBUG [SOAPContentElement] setXMLFragment: <UserType_1 xmlns:xsi='h
ttp://www.w3.org/2001/XMLSchema-instance'><msg>Kermit</msg></UserType_1>
17:11:54,304 DEBUG [SOAPMessage] Incomming SOAPMessage
<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
<env:Header/>
<env:Body>
<ns1:echoUserType xmlns:ns1='http://org.jboss.ws/samples/wssecurity'>
<UserType_1 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'><msg>Kermit</m
sg></UserType_1>
</ns1:echoUserType></env:Body></env:Envelope>

17:11:54,304 DEBUG [JAXBSerializer] serialized: <result xmlns:xsi="http://www.w3
.org/2001/XMLSchema-instance"><msg>Kermit</msg></result>
17:11:54,304 DEBUG [SOAPContentElement] xmlFragment: <result xmlns:xsi="http://w
ww.w3.org/2001/XMLSchema-instance"><msg>Kermit</msg></result>
17:11:54,304 DEBUG [SOAPMessage] Outgoing SOAPMessage
<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
<env:Header/>
<env:Body>
<ns1:echoUserTypeResponse xmlns:ns1='http://org.jboss.ws/samples/wssecurity'>
<result xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
 <msg>Kermit</msg>
</result></ns1:echoUserTypeResponse></env:Body></env:Envelope>

<soap:Header>
 <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
 <wsse:UsernameToken xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
 xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
 wsu:Id="merlin-authws-91E90B44-1C8F-0607-BF4F-8B3E3D242EBA">
 <wsse:Username>kchan</wsse:Username>
 <wsse:Password Type="wsse:PasswordDigest">1OjLUItM4JKW4D4feXBKuSccBOg=</wsse:Password>
 <wsse:Nonce>0pHV+YqqsotZvuwTzVUoUw==</wsse:Nonce>
 <wsu:Created>2006-11-1T17:47:10.814Z</wsu:Created>
 </wsse:UsernameToken>
 </wsse:Security>
</soap:Header>