-
15. Re: WSSE UsernameToken without HTTP basic auth?
mikaeljl Jan 26, 2009 10:02 AM (in response to mikaeljl)Hi!
Sorry for the the delay...
I've tried the new username token support now and it seams to work fine.
Build info:
Version: jbossws-native-3.0.6-SNAPSHOT
Build: 200901151503
Example of SOAP request:POST /lab_1_wsdl_first/HelloService HTTP/1.1 SOAPAction: "" Content-Type: text/xml; charset=UTF-8 JBoss-Remoting-Version: 22 User-Agent: JBossRemoting - 2.2.2.SP8 Host: localhost:8080 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Transfer-Encoding: chunked <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'><env:Header><wsse:Security env:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'><wsu:Timestamp wsu:Id='timestamp'><wsu:Created>2009-01-26T14:36:28.871Z</wsu:Created><wsu:Expires>2009-01-26T14:41:28.871Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id='token-1-1232980588873-16780239'><wsse:Username>someuser</wsse:Username><wsse:Password Type='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText'>somepassword</wsse:Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body><ns1:HelloData xmlns:ns1="http://www.redpill.se/training/ws/hello/HelloService"><helloMessage>Lab1Client</helloMessage></ns1:HelloData></env:Body></env:Envelope>
I.e. no http basic authentication.
I've added
<security-domain>java:/jaas/JBossWS</security-domain>
to jboss-web.xml
And the following to jboss-wsse-server.xml:<jboss-ws-security> <config> <authorize> <unchecked/> </authorize> </config> </jboss-ws-security>
And i can now control access through the conf/props/jbossws-users.properties file.
Without properly configured credentials I get a message saying:
"The security token could not be authenticated or authorized."
So everything seems to be ok this far.
However, I've noticed that if I do:
@Resource
javax.xml.ws.WebServiceContext wsCtx;
wsCtx.getUserPrincipal() will return null.
Is this the expected result? -
16. Re: WSSE UsernameToken without HTTP basic auth?
mikaeljl Jan 27, 2009 2:40 AM (in response to mikaeljl)Hi again.
I noticed another thing when running this test.
In my service I have system outs in the c-tor and finalizer.
I've also added postCreate and preDestroy methods with:public HelloImpl(){ System.out.println("HelloServiceImpl created!!!"); } @PostConstruct protected void doSetupStuff(){ System.out.println("HelloImpl PostConstruct +++++!"); } @PreDestroy protected void doCleanupStuff(){ System.out.println("HelloImpl PreDestroy ------"); } public void finalize(){ System.out.println("HelloImpl finalize!!!"); }
Afaik the postConstruct and predestroy annotations have not been supported on a pojo webservice before, when was this support added?
Anyway, I can see that the constructor and the postCreate method is called once for each request. But I never see the preDestroy/finalizer being called. The only way getting a call to these methods is to redeploy the service.
I've tried running explicit GCs using the Server MBean but that does not help.
What kind of pooling mechanism is being used for the pojo WS implementations?
Running a client in a loop sending lot's of requests results in jboss running out of memory (after approx 60000 requests).
Maybe the code was "in a state of flux" when I checked out latest from head?
I've used JBoss 4.2.3 GA and java 1.5.0_15-b04. -
17. Re: WSSE UsernameToken without HTTP basic auth?
ropalka Jan 27, 2009 3:40 AM (in response to mikaeljl)"mikaeljl" wrote:
Afaik the postConstruct and predestroy annotations have not been supported on a pojo webservice before, when was this support added?
Since JBossWS 3.0.5 release."mikaeljl" wrote:
Anyway, I can see that the constructor and the postCreate method is called once for each request. But I never see the preDestroy/finalizer being called. The only way getting a call to these methods is to redeploy the service.
Yes, the POJO endpoint is created for each request.
It's not shared accross clients.
We need to check JAXWS spec whether POJO endpoint ccould be shared. -
18. Re: WSSE UsernameToken without HTTP basic auth?
ropalka Jan 27, 2009 3:45 AM (in response to mikaeljl)Cross reference issue JBWS-2486.
-
19. Re: WSSE UsernameToken without HTTP basic auth?
mikaeljl Jan 27, 2009 4:58 AM (in response to mikaeljl)Hi Richard.
I do not know if the endpoints can be shared.
They need to get different
@Resource
javax.xml.ws.WebServiceContext
references (if annotated with it).
Shared or not, the pojo endpoints need to be released sometime.
Is it a known problem that the enpoints are not released until the war is redeployed?
If that is the case it sounds like a memory leak, but maybe I've got something bad in my setup? Am I missing something here?
Also note my concern about:
@Resource
javax.xml.ws.WebServiceContext wsCtx;
wsCtx.getUserPrincipal() will return null.
Is this the expected result? -
20. Re: WSSE UsernameToken without HTTP basic auth?
ropalka Jan 27, 2009 5:37 AM (in response to mikaeljl)"mikaeljl" wrote:
Shared or not, the pojo endpoints need to be released sometime.
Is it a known problem that the enpoints are not released until the war is redeployed?
It's a bug."mikaeljl" wrote:
Also note my concern about:
@Resource
javax.xml.ws.WebServiceContext wsCtx;
wsCtx.getUserPrincipal() will return null.
Is this the expected result?
This is know issue, see JBWS-2074. -
21. Re: WSSE UsernameToken without HTTP basic auth?
mikaeljl Jan 29, 2009 2:22 AM (in response to mikaeljl)Hi again!
The web service context is injected OK.
wsCtx is not null it's just the user principal object that I try to retrieve from the wsCtx that is null. But maybe this is a result of JBWS-2074?
I've not tried it yet but I guess that
org.jboss.security.SecurityAssociation.getPrincipal().getName()
would work.
Is there a JIRA for the memory leak/pojo endpoints never being released problem as well?
Or will that problem be handled by JBWS-2486?
Have you been able to reproduce the problem, it sound like a significant problem. I've tried removing @pre @post annotated methods but that does not help.
/Mikael -
22. Re: WSSE UsernameToken without HTTP basic auth?
dlofthouse Jan 29, 2009 1:12 PM (in response to mikaeljl)mikaeljl, for the following: -
However, I've noticed that if I do:
@Resource
javax.xml.ws.WebServiceContext wsCtx;
wsCtx.getUserPrincipal() will return null.
Is this the expected result?
Can you please raise a Jira issue under JBWS and assign it to me and I will review what is happening. -
23. Re: WSSE UsernameToken without HTTP basic auth?
moa Nov 17, 2009 6:00 AM (in response to mikaeljl)Hi Mikael and Darran,
Sorry for wakening an old thread.
We had the same problem with the principal = null over in the STS wiki:
http://www.jboss.org/community/wiki/jbosssecuritytokenservice#comment-2075
So I have added a JIRA bug for you Darran:
https://jira.jboss.org/jira/browse/JBWS-2833