1 2 Previous Next 19 Replies Latest reply on Dec 20, 2006 11:06 AM by salex

    implementing wsse:UserNameToken

    djhrobinson

      I'm trying to implement a webservice based on an ejb3 bean and jsr-181 annotations.
      One of my requirements is to use wsse UserNameToken based authentication in the header.
      I can see that its possible to use the Handler chains to set up signing and encryption but I can't see how to set up the basic UserNameToken. Can anyone give me some ideas on what I'm missing here and how to go about this?

      Thanks
      Dave

        • 1. Re: implementing wsse:UserNameToken
          jason.greene

          On the server side. the UsernameToken is processed if its there, you don't actually need to configure anything to use it.

          If you are also using JBossWS for a client then you just need to add the "username" tag to your jboss-wsse-client.xml

          <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
           <config>
           <username/>
           </config>
          </jboss-ws-security>
          


          -Jason

          • 2. Re: implementing wsse:UserNameToken

            Hi Jason,

            what about passwords, the nonce and timestamp elements which are also part of the Username token profile 1.0 spec?

            And last: what username is added to the soap header. Where does it come from?
            We need to support the username token profile standard and the clients are not alwasy JBoss Appservers but also .Net and Oracle

            Thanks in advance
            Karl

            • 3. Re: implementing wsse:UserNameToken

              I did some research in the JBoss WS 103 Sources.
              It appears that the username token profile is partly supported.
              The user and password are added to the soap header when the password are added to the call or proxy object
              However password type attribute and password encoding is not support.
              According to the basic security profile the type attribute is required.
              Password disgest is also very nice to have.

              will these functions be added in the near future?

              • 4. Re: implementing wsse:UserNameToken
                sappenin

                Any update on this? Has a JIRA todo been created? I'm running into the same problem. I'd like to base64(SHA1(nonce + createdTimeStamp + password)) and send that value in the SOAP Header as part of the WSSE UsernameToken. However, JBoss appears to not be doing anything with this when the actual authentication occurs on the server-side....In order to get WSSE auth working, I have to send a clear password as the value of the 'password' element in the Security header.

                Is full WSSE functionality something that has to be implemented in a LoginModule, or will this be implemented in a later rev of JbossWS?

                David

                • 5. Re: implementing wsse:UserNameToken
                  lamaral

                  Any update is welcome!
                  I do need same features here.

                  Luis Amaral.

                  • 6. Re: implementing wsse:UserNameToken
                    thomas.diesler

                    I added a feature request

                    http://jira.jboss.org/jira/browse/JBWS-1296

                    You are also welcome to have a go.

                    • 7. Re: implementing wsse:UserNameToken
                      jason.greene

                       

                      "kdeboer" wrote:
                      I did some research in the JBoss WS 103 Sources.
                      It appears that the username token profile is partly supported.
                      The user and password are added to the soap header when the password are added to the call or proxy object
                      However password type attribute and password encoding is not support.
                      According to the basic security profile the type attribute is required.
                      Password disgest is also very nice to have.

                      will these functions be added in the near future?


                      The basic security profile has been in draft for over a year, and is not expected to be finalized anytime soon so we haven't looked at conforming to it. WS-Security 1.0 has type as optional, so we dont specify it. The encoding type is only relevant to a Nonce. and as you see currently nonces aren't supported. I have updated the feature request to reflect this.

                      Currently the priority on this is low, since we are busy working on EE5 / JAX-WS. So, as Thomas said, feel free to contribute if you want to see this sooner.

                      -Jason

                      • 8. Re: implementing wsse:UserNameToken
                        rayymlai

                        _Revisiting username token profile_
                        =======================

                        I try to understand and use JBossws 1.0.3 with username token profile. The objective is to use WSS 1.0 username token for an existing Web services, since we are not ready with key management infrastructure (for X.509v3 cert) yet.

                        Approach - using simpleSignTestCase:
                        ========================
                        1. Use jbossws wss example
                        Replace the existing x.509v3 cert profile with username token profile
                        in both jboss-wsse-server.xml and jboss-wsse-client.xml

                        e.g. jboss-wsse-server.xml

                        <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                        xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
                        <key-store-file>WEB-INF/wsse.keystore</key-store-file>
                        <key-store-password>jbossws</key-store-password>
                        <trust-store-file>WEB-INF/wsse.truststore</trust-store-file>
                        <trust-store-password>jbossws</trust-store-password>



                        </jboss-ws-security>

                        e.g. jboss-wsse-client.xml
                        <?xml version="1.0" encoding="UTF-8"?>

                        <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                        xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">



                        </jboss-ws-security>

                        2. Verify if the SOAP header contains username and password

                        e.g. under output/samples, we can't see any SOAP header containing WSS 1.0 username token profile

                        <result xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>Kermit

                        But if we use X.509v3 cert profile, I can find WSS 1.0 cert profile in the SOAP header.

                        3. add user and password in the client stub, since I read that
                        JBossWS does not support with user and password attributes, and that JBossWS username token profile still requires using keystore password (an implementation constraint) as per this email thread.

                        Issues Encountered
                        =============
                        1. wss example running with username profile is OK without error, but I couldn't find the username/password in the SOAP header (as in output/log)

                        2. add user and password in WS stub
                        but I can't see any user and password in the SOAP header

                        e.g. in SimpleSignTestCase.java:

                        Hello port = (Hello)service.getPort(Hello.class);
                        Stub stub = (Stub)port;
                        stub._setProperty(Stub.USERNAME_PROPERTY, "manager");
                        stub._setProperty(Stub.PASSWORD_PROPERTY, "manager");

                        ((Stub)port)._setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY, "http://localhost:8080/jbossws-samples-wssecurity-sign");
                        return port;

                        3. jboss server log/console does not show any helpful /debugging information

                        e.g. jboss console shows:

                        M0346:8080/jbossws-samples-wssecurity-sign
                        10:16:15,937 INFO [ClientDeployer] Client ENC bound under: jbossws-client
                        10:16:16,797 INFO [ClientDeployer] Removing client ENC from: jbossws-client
                        10:16:16,812 INFO [ServiceEndpointManager] WebService stopped: http://MTVL04AL3
                        M0346:8080/jbossws-samples-wssecurity-sign
                        10:16:16,812 WARN [WSDLFilePublisher] Cannot delete published wsdl document: fi
                        le:/C:/tools/jboss/server/default/data/wsdl/jbossws-samples-wssecurity-sign.war/
                        HelloService.wsdl
                        10:16:16,812 INFO [TomcatDeployer] undeploy, ctxPath=/jbossws-samples-wssecurit
                        y-sign, warUrl=.../tmp/deploy/tmp3642jbossws-samples-wssecurity-sign-exp.war/
                        10:16:17,703 INFO [TomcatDeployer] deploy, ctxPath=/jbossws-samples-store-pass-
                        encrypt, warUrl=.../tmp/deploy/tmp3646jbossws-samples-store-pass-encrypt-exp.war
                        /
                        10:16:17,812 INFO [WSDLFilePublisher] WSDL published to: file:/C:/tools/jboss/s
                        erver/default/data/wsdl/jbossws-samples-store-pass-encrypt.war/HelloService.wsdl

                        10:16:17,906 INFO [ServiceEndpointManager] WebService started: http://MTVL04AL3


                        Need help:
                        =======
                        1. How could I use WSS 1.0 username token in the JBossWS example?
                        - I use and the WSS example runs without error, but I can't find the username token profile in the header
                        - I snoop the SOAP traffic using TCPSpy, but still couldn't find the username token in the SOAP header

                        2. could anyone verify whether I miss any step in the configuration?

                        Thanks.

                        • 9. Re: implementing wsse:UserNameToken
                          rayymlai

                          Further to the last email thread:

                          1. A colleague of mine shows me the source code UsernameToken.java from JBossWS 1.0.3 GA. it looks like UsernameToken(Element) method does read the "Username" and "Password" from the SOAP message.

                          e.g.
                          public UsernameToken(Element element) throws WSSecurityException {
                          this.doc = element.getOwnerDocument();
                          String id = element.getAttributeNS(Constants.WSU_NS, Constants.ID);
                          ...
                          Element child = Util.getFirstChildElement(element);
                          if (child == null || ! Constants.WSSE_NS.equals(child.getNamespaceURI()) || ! "Username".equals(child.getLocalName()))

                          throw new WSSecurityException("Username child expected in UsernameToken element");
                          this.username = XMLUtils.getFullTextChildrenFromElement(child);
                          child = Util.getNextSiblingElement(child);
                          ...
                          }


                          I've tried the following permutation of changes, but I still can't make the WSS 1.0 username token profile work in JBossWS.

                          1. in both jboss-wsse-server.xml and jboss-wsse-client.xml, specify , e.g.





                          2. in the jboss-wsse*.xml, specify and (derived from the source code UsernameToken.java):

                          manager
                          manager


                          3. Specify username and password in the SOAP stub
                          (as per advice from the previous email threads)

                          - refer to previous reply

                          4. Control test - Don't specify anything in the jboss-wsse*.xml. Don't add any user or password in the SOAP stub. This is a control test, to ensure whether or has made any difference.
                          - no difference when running the wss samples.


                          Any advice?

                          Thanks.

                          • 10. Re: implementing wsse:UserNameToken
                            rayymlai

                            some texts are missing in previous thread.

                            I've tried:
                            1. in both jboss-wsse*.xml, specify


                            2. in both jboss-wsse*.xml, specify
                            manager
                            manager

                            - inferred from the UsernameToken.java above

                            3. Specify user and password in the SOAP stub
                            (as per advice from previous email threads)

                            - refer to previous reply

                            4. control test
                            - don't specify any tag or attribute within
                            - This has no difference when running the samples, i.e. no SOAP wsse header, no encryption

                            any advice?

                            thanks.

                            • 11. Re: implementing wsse:UserNameToken
                              jason.greene

                              Please use the code tag when pasting xml.

                              In order to enable sending the username token, you have to add the "username" tag to your jboss-wsse-client.xml config.

                              <jboss-ws-security>
                               <config>
                               <username/>
                               </config>
                              </jboss-ws-security>
                              


                              • 12. Re: implementing wsse:UserNameToken
                                rayymlai

                                In my previous replies, I've already used your sample config file
                                in the jboss-wsse-client.xml (and jboss-wsse-server.xml), but jbossws does not render the wsse username token profile.

                                How I re-do the testing:
                                1. in the 3 samples in jbossws wssecurity, i use your example in the two *wsse*.xml file:

                                <?xml version="1.0" encoding="UTF-8"?>
                                
                                <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                 xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
                                 <config>
                                 <username />
                                 </config>
                                </jboss-ws-security>
                                


                                2. run "ant clean", "ant" and "ant tests"
                                - wssecurity samples show no error in test runs

                                3. examine output/samples log file


                                Outgoing SOAPMessage
                                <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
                                <env:Header/>
                                <env:Body>
                                <ns1:echoUserType xmlns:ns1='http://org.jboss.ws/samples/wssecurity'>
                                <UserType_1 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
                                Kermit
                                </UserType_1></ns1:echoUserType></env:Body></env:Envelope>

                                Incomming Response SOAPMessage
                                <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
                                <env:Header/>
                                <env:Body>
                                <ns1:echoUserTypeResponse xmlns:ns1='http://org.jboss.ws/samples/wssecurity'>
                                <result xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>Kermit
                                </ns1:echoUserTypeResponse></env:Body></env:Envelope>


                                4. I use tcpspy to capture the SOAP message, but cannot find the wsse username token in the SOAP header.

                                5. If I don't use the tag "username", e.g.

                                <jboss-ws-security>
                                <config />
                                </jboss-ws-security>
                                , I find the output/sample and the SOAP message intercepted by tcpspy are the same.

                                Need help
                                6. could you advise if I miss anything in the config file?

                                7. how should I capture or examine the SOAP header in order to look for wsse usernametoken element? Is there any log file or option to log the SOAP header?

                                thanks.

                                • 13. Re: implementing wsse:UserNameToken
                                  sappenin

                                   

                                  7. how should I capture or examine the SOAP header in order to
                                  look for wsse usernametoken element? Is there any log file or option to
                                  log the SOAP header?


                                  In your log4j.xml file (JBOSS_HOME/server/[servername]/conf/log4j.xml), set the CONSOLE appender threshold to DEBUG (instead of the default INFO). When you run your webservice, the in/out messages (including headers) will be displayed. You can do the same for other appenders if you want to capture logging info in other places.

                                  
                                   <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
                                   <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
                                   <param name="Target" value="System.out"/>
                                   <param name="Threshold" value="INFO"/>
                                  
                                   <layout class="org.apache.log4j.PatternLayout">
                                   <!-- The default pattern: Date Priority [Category] Message\n -->
                                   <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>
                                   </layout>
                                   </appender>
                                  
                                  
                                  


                                  • 14. Re: implementing wsse:UserNameToken
                                    rayymlai

                                    I've turned on the DEBUG mode in the log4j, and find:

                                    17:11:54,304 DEBUG [SOAPContentElement] setXMLFragment: <UserType_1 xmlns:xsi='h
                                    ttp://www.w3.org/2001/XMLSchema-instance'><msg>Kermit</msg></UserType_1>
                                    17:11:54,304 DEBUG [SOAPMessage] Incomming SOAPMessage
                                    <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
                                    <env:Header/>
                                    <env:Body>
                                    <ns1:echoUserType xmlns:ns1='http://org.jboss.ws/samples/wssecurity'>
                                    <UserType_1 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'><msg>Kermit</m
                                    sg></UserType_1>
                                    </ns1:echoUserType></env:Body></env:Envelope>
                                    


                                    17:11:54,304 DEBUG [JAXBSerializer] serialized: <result xmlns:xsi="http://www.w3
                                    .org/2001/XMLSchema-instance"><msg>Kermit</msg></result>
                                    17:11:54,304 DEBUG [SOAPContentElement] xmlFragment: <result xmlns:xsi="http://w
                                    ww.w3.org/2001/XMLSchema-instance"><msg>Kermit</msg></result>
                                    17:11:54,304 DEBUG [SOAPMessage] Outgoing SOAPMessage
                                    <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
                                    <env:Header/>
                                    <env:Body>
                                    <ns1:echoUserTypeResponse xmlns:ns1='http://org.jboss.ws/samples/wssecurity'>
                                    <result xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
                                     <msg>Kermit</msg>
                                    </result></ns1:echoUserTypeResponse></env:Body></env:Envelope>
                                    


                                    This reinforces my previous finding that despite I use the tag "username" in the *wsse-*.xml file, JBossWS 1.0.3 doesn't render the WSS 1.0 username token profile.

                                    I would be expecting JBossWS to generate something like:

                                    <soap:Header>
                                     <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
                                     <wsse:UsernameToken xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
                                     xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
                                     wsu:Id="merlin-authws-91E90B44-1C8F-0607-BF4F-8B3E3D242EBA">
                                     <wsse:Username>kchan</wsse:Username>
                                     <wsse:Password Type="wsse:PasswordDigest">1OjLUItM4JKW4D4feXBKuSccBOg=</wsse:Password>
                                     <wsse:Nonce>0pHV+YqqsotZvuwTzVUoUw==</wsse:Nonce>
                                     <wsu:Created>2006-11-1T17:47:10.814Z</wsu:Created>
                                     </wsse:UsernameToken>
                                     </wsse:Security>
                                    </soap:Header>
                                    
                                    
                                    


                                    Questions
                                    1. Do any of you have advice or pointer? Is this because JBossWS 1.0.3 does not fully support WSS 1.0 username token?

                                    2. A colleague of mine writes a client to the Java web service in JBoss, and provides the user id and password by setting the property in the SOAP stub (refer to previous replies in this thread). He says this is an alternative way to generate WSS 1.0 username token.

                                    My understanding is that this won't generate WSS 1.0 compliant username token. Can any one confirm?


                                    Thanks.

                                    1 2 Previous Next