1 2 Previous Next 19 Replies Latest reply on Dec 20, 2006 11:06 AM by salex Go to original post
      • 15. Re: implementing wsse:UserNameToken
        sappenin

        I can't confirm your problem using a JBoss/Java client. I'm using an Adobe Flex2 client, and can hit my JBoss webservice using the WSSE Username Profile. The only problem is that I have to send my password in the clear (See up above where jason.greene@jboss.com addresses this point).

        However, once you solve your client issue, you will run into this same problem using the USERNAME profile on the server side, since it doesn't yet deal with the Nonce or date elements (unless you've implemented custom functionality to handle these).

        I'll try putting together a client to see if I run into these same issues.

        • 16. Re: implementing wsse:UserNameToken
          rikardf

          I have the same issue as 'rayymlai'. I can't add the Security header with UserNameToken to an outgoing call with JAX-RPC.

          I have tested with JBoss 4.04 and 4.05.

          I have added the following stuff:

          1) Added the 'jboss-wsse-client.xml' in the 'meta-inf' dir in the jar file.
          2) Added the following in the code for the outgoing call:

          Stub stub = (Stub) aStub;
          stub._setProperty(Stub.USERNAME_PROPERTY, "Rikard");
          stub._setProperty(Stub.PASSWORD_PROPERTY, "RikardPWD");
          ...
          aStub.someWsMethod(...);
          


          Should that be enough? Or did I miss anything?



          • 17. Re: implementing wsse:UserNameToken
            thomas.diesler

            Please start with a working sample from the samples download or have a look at the wsse testsuite

            • 18. Re: implementing wsse:UserNameToken
              rayymlai

              Thomas:

              in my previous threads, we re-use JBossWS examples.

              I notice that there is an additional step missing. In your Java bean, you need to use annotation to specify the security handler (this is not documented in JBossWS). Pls refer to JSR181 EJB3 example.

              one colleague of mine advised me that he learned from JBoss support that WSS username token only works with the JSR181 EJB3 example, not JSR181 POJO. Apparently, JBossWS 1.0.3 JSR181 POJO can't use the security handler (as in EJB3 example). It complains it cannot get the security configuration. It is possible that the security handler is customized for the EJB3 example (for JAAS authentication).

              I've done verification and confirmed that.

              any resolution?

              • 19. Re: implementing wsse:UserNameToken
                salex

                With [ code ] tags:

                "rayymlai" wrote:
                Further to the last email thread:

                1. A colleague of mine shows me the source code UsernameToken.java from JBossWS 1.0.3 GA. it looks like UsernameToken(Element) method does read the "Username" and "Password" from the SOAP message.

                e.g.
                 public UsernameToken(Element element) throws WSSecurityException {
                 this.doc = element.getOwnerDocument();
                 String id = element.getAttributeNS(Constants.WSU_NS, Constants.ID);
                 ...
                 Element child = Util.getFirstChildElement(element);
                 if (child == null || ! Constants.WSSE_NS.equals(child.getNamespaceURI()) || ! "Username".equals(child.getLocalName()))
                
                 throw new WSSecurityException("Username child expected in UsernameToken element");
                 this.username = XMLUtils.getFullTextChildrenFromElement(child);
                 child = Util.getNextSiblingElement(child);
                 ...
                 }
                


                I've tried the following permutation of changes, but I still can't make the WSS 1.0 username token profile work in JBossWS.

                1. in both jboss-wsse-server.xml and jboss-wsse-client.xml, specify <username />, e.g.
                 <config>
                 <username />
                 </config>
                

                2. in the jboss-wsse*.xml, specify <Username> and <Password> (derived from the source code UsernameToken.java):
                 <config>
                 <Username>manager</Username>
                 <Password>manager</Password>
                 </config>
                

                3. Specify username and password in the SOAP stub
                (as per advice from the previous email threads)

                - refer to previous reply

                4. Control test - Don't specify anything in the jboss-wsse*.xml. Don't add any user or password in the SOAP stub. This is a control test, to ensure whether <username /> or <Username/> has made any difference.
                - no difference when running the wss samples.


                Any advice?

                Thanks.


                1 2 Previous Next