8 Replies Latest reply on Jul 15, 2008 12:16 PM by brettsc

addressing}A

timeagentess Jun 26, 2008 5:48 AM

Hello all,

I am trying to use WS-Security and have a client and web service exchange signed messages.
However, I have run into some trouble -- can't get rid of this error (seen on both server and client consoles):

ERROR [SOAPFaultHelperJAXWS] SOAP request exception
javax.xml.ws.addressing.AddressingException: Required element {http://www.w3.org/2005/08/addressing}Action is missing

at org.jboss.ws.extensions.addressing.soap.SOAPAddressingPropertiesImpl.getRequiredHeaderContent(SOAPAddressingPropertiesImpl.java:71)
at org.jboss.ws.extensions.addressing.soap.SOAPAddressingPropertiesImpl.readHeaders(SOAPAddressingPropertiesImpl.java:141)
at org.jboss.ws.extensions.addressing.jaxws.WSAddressingServerHandler.handleInbound(WSAddressingServerHandler.java:82)
[...]

My configuration is JBoss 4.0.5 & JBossWS 2.0.0, and the files as described below.

I. Web service, deployed as SLSB in ear archive:
|-ejb.jar (contains Endpoint implementation WSTwoServiceBean.java)
|-META-INF
|---server.keystore
|---server.truststore
|---application.xml
|---jboss-wsse-server.xml
|---standard-jaxws-endpoint-config.xml

Service endpoint implementation: WSTwoServiceBean.java

//EJB3 annotations
@javax.ejb.Stateless
@org.jboss.annotation.ejb.RemoteBinding(jndiBinding = "WebServices/WSTwoServiceBeanInterface")
@javax.ejb.Remote({com.atb.webservices.wstwo.WSTwoServiceBeanInterface.class})

// WS annotations
@javax.jws.WebService(endpointInterface = "com.atb.webservices.wstwo.WSTwoRemoteInterface", targetNamespace = "http://localhost:8080/atb")
@org.jboss.wsf.spi.annotation.WebContext(contextRoot = "/webservices-ws", urlPattern="/services/WSTwo/*")
@javax.jws.soap.SOAPBinding(style = javax.jws.soap.SOAPBinding.Style.DOCUMENT, use = javax.jws.soap.SOAPBinding.Use.LITERAL, parameterStyle = javax.jws.soap.SOAPBinding.ParameterStyle.WRAPPED)
@HandlerChain(file="resource://META-INF/standard-jaxws-endpoint-config.xml")
@EndpointConfig(configName = "Standard WSSecurity Endpoint")
@SecurityDomain("JBossWS")
public class WSTwoServiceBean implements WSTwoServiceBeanInterface {
 @WebMethod
 public String hello(String s){
 return "Hello, " + s + "!";
 }
}

jboss-wsse-server.xml:

<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
<key-store-file>META-INF/server.keystore</key-store-file>
<key-store-password>server</key-store-password>
<trust-store-file>META-INF/server.truststore</trust-store-file>
<trust-store-password>server</trust-store-password>
<config>
 <sign type="jks" alias="server"/>
 <requires>
 <signature/>
 </requires>
</config>
</jboss-ws-security>

standard-jaxws-endpoint-config.xml:

<jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
 xsi:schemaLocation="urn:jboss:jaxws-config:2.0 jaxws-config_2_0.xsd">

 <endpoint-config>
 <config-name>Standard WSSecurity Endpoint</config-name>
 <post-handler-chains>
 <javaee:handler-chain>
 <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>
 <javaee:handler>
 <javaee:handler-name>WSSecurity Handler</javaee:handler-name>
 <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer</javaee:handler-class>
 </javaee:handler>
 </javaee:handler-chain>
 </post-handler-chains>
 </endpoint-config>

</jaxws-config>

II. Client, standalone application:
|-TestWS.java
|-META-INF
|---jboss-wsse-client.xml
|---standard-jaxws-client-config.xml
|---client.keystore
|---client.truststore

(Even though, being a standalone client, I suspect placing the files in a folder other than META-INF wouldn't make any difference)

TestWS.java:

 WSTwoServiceBeanService wstwoService = new WSTwoServiceBeanService();
 WSTwo wstwo = wstwoService.getPort(WSTwo.class);

 URL securityURL = null;
 URL securityConfig = null;
 try {
 securityURL = new File("META-INF/jboss-wsse-client.xml").toURL();
 securityConfig = new File("META-INF/standard-jaxws-client-config.xml").toURL();
 } catch (MalformedURLException e) {
 System.out.println(e);
 }
 ((StubExt)wstwo).setSecurityConfig(securityURL.toExternalForm());
 ((StubExt)wstwo).setConfigName("Standard WSSecurity Client", securityConfig.toExternalForm());

 String response = wstwo.hello("world");
 System.out.println("Web service answered with: " + response);

jboss-wsse-client.xml:

<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
<key-store-file>d:/workspace/wsclient/META-INF/client.keystore</key-store-file>
<key-store-password>client</key-store-password>
<key-store-type>jks</key-store-type>
<trust-store-file>d:/workspace/wsclient/META-INF/client.truststore</trust-store-file>
<trust-store-password>client</trust-store-password>
<trust-store-type>jks</trust-store-type>
<config>
 <sign type="jks" alias="client"/>
 <requires>
 <signature/>
 </requires>
</config>
</jboss-ws-security>

standard-jaxws-client-config.xml:

<jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
 xsi:schemaLocation="urn:jboss:jaxws-config:2.0 jaxws-config_2_0.xsd">

 <client-config>
 <config-name>Standard WSSecurity Client</config-name>
 <post-handler-chains>
 <javaee:handler-chain>
 <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>
 <javaee:handler>
 <javaee:handler-name>WSSecurityHandlerOutbound</javaee:handler-name>
 <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient</javaee:handler-class>
 </javaee:handler>
 </javaee:handler-chain>
 </post-handler-chains>
 </client-config>

</jaxws-config>

Thank you!

1. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi

timeagentess Jun 27, 2008 10:10 AM (in response to timeagentess)

I intercepted the SOAP messages being sent, and it seems that the client signs the message, but the service does not answer in kind.

When setting up the client and server for message encryption, the same thing occurs -- the client correctly encrypts the outgoing message,
but then this error appears:

Endpoint {http://localhost:8080/atb}WSTwoServiceBeanPort does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData

Does this vaguely mean that the service is not able to properly encrypt its response? Maybe this rings a bell for someone.

Thank you!
Actions
2. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi

timeagentess Jun 30, 2008 4:58 AM (in response to timeagentess)

Tried out the same configuration in JBoss 4.2.2 with JBossWS 3.0.2, thinking maybe there was some bug which was fixed in the meantime.

However, I am getting the same errors, which leads me to think that I must be doing something extremely stupid.
Doesn't anybody have any clue about this? I appreciate any and every suggestions (even if it's an angry "RTFM" reply :D )
Actions
3. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi

asoldano Jun 30, 2008 5:24 AM (in response to timeagentess)

Hi, as a general suggestion, I first of all suggest you to try using some more recent versions of both JBoss AS and JBossWS.
This said:

"timeagentess" wrote:

ERROR [SOAPFaultHelperJAXWS] SOAP request exception
javax.xml.ws.addressing.AddressingException: Required element {http://www.w3.org/2005/08/addressing}Action is missing

at org.jboss.ws.extensions.addressing.soap.SOAPAddressingPropertiesImpl.getRequiredHeaderContent(SOAPAddressingPropertiesImpl.java:71)
at org.jboss.ws.extensions.addressing.soap.SOAPAddressingPropertiesImpl.readHeaders(SOAPAddressingPropertiesImpl.java:141)
at org.jboss.ws.extensions.addressing.jaxws.WSAddressingServerHandler.handleInbound(WSAddressingServerHandler.java:82)
[...]

You get this message because you're using WS-Addressing and the Action header is missing in your SOAP message. This is not related to WS-Security.

@HandlerChain(file="resource://META-INF/standard-jaxws-endpoint-config.xml")
@EndpointConfig(configName = "Standard WSSecurity Endpoint")

Since you're using the standard endpoint configuration, you should try simplifying your configuration a bit (to better track down what's happening), i.e. remove the @HandlerChain annotation and forget about the standard-jaxws-endpoint-config.xml file (you already have the "Standard WSSecurity Endpoint" in the configuration that is automatically loaded by jbossws).

Regarding this:

Endpoint {http://localhost:8080/atb}WSTwoServiceBeanPort does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData

under which conditions you got this? Try looking at the log and verify the security handler on server side is configured (the ws-security conf is selected).
Actions
4. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi

timeagentess Jun 30, 2008 10:33 AM (in response to timeagentess)
"alessio.soldano@jboss.com" wrote:
Hi, as a general suggestion, I first of all suggest you to try using some more recent versions of both JBoss AS and JBossWS.

Hi, thanks for the suggestions! As a matter of fact, I am using JBoss 4.2.2 and JBossWS 3.0.2 now, with the same problems. Some more answers/questions for each of your points below.

You get this message because you're using WS-Addressing and the Action header is missing in your SOAP message. This is not related to WS-Security.

Have I inadvertently activated WS-Addressing? (that was most certainly not my intention). I thought for using WS-Addressing one has to have an annotation like this on the web service class: @EndpointConfig(configName = "Standard WSAddressing Endpoint") ?

Endpoint {http://localhost:8080/atb}WSTwoServiceBeanPort does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData

under which conditions you got this? Try looking at the log and verify the security handler on server side is configured (the ws-security conf is selected).

I got this when requesting encryption in both client and service jboss-wsse-****.xml
I'm not sure if this part of the log is what you referred to, but the security config seems to be null:
2008-06-30 15:23:36,422 DEBUG [org.jboss.system.ServiceConfigurator] SecurityConf set to [security: null] in jboss.mq.destination:service=Topic,name=testTopic
2008-06-30 15:23:36,422 DEBUG [org.jboss.mq.server.jmx.Topic.testTopic] Setting securityConf: [security: null]

On the service endpoint it seems to be ok:
ServerEndpointMetaData:
type=JAXWS
qname={http://wsthree.ws.atb.com/}WSThreeServiceBeanPort
[...]
configFile=META-INF/standard-jaxws-endpoint-config.xml
configName=Standard WSSecurity Endpoint
authMethod=null
transportGuarantee=null
secureWSDLAccess=false
properties={}

(I suppose META-INF/standard-jaxws-endpoint-config.xml is taken from the JBossWS.sar deployment, as it is not present in my web service deployment anymore? )

And a bit lower in the log file the handler seems to be ok as well:
HandlerMetaDataJAXWS:
type=POST
name=WSSecurity Handler
class=class org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer
params=[]
protocols=##SOAP11_HTTP ##SOAP11_HTTP_MTOM
services=null
ports=null

------------------------------------------------

Anyway, to sum up what I have now and what does not work:

Web service:
@WebService @SOAPBinding(style = javax.jws.soap.SOAPBinding.Style.DOCUMENT, use = javax.jws.soap.SOAPBinding.Use.LITERAL, parameterStyle = javax.jws.soap.SOAPBinding.ParameterStyle.WRAPPED) @EndpointConfig(configName = "Standard WSSecurity Endpoint") public class WSThreeServiceBean implements WSThreeRemoteInterface { @WebMethod public String hello(String input) { return "Hello, " + input + "!"; } }

In the META-INF folder there is the keystore, truststore and jboss-wsse-server.xml

Client:
[...] securityURL = new File("META-INF/jboss-wsse-client.xml").toURL(); ((StubExt)wsthree).setSecurityConfig(securityURL.toExternalForm()); ((StubExt)wsthree).setConfigName("Standard WSSecurity Client");

with keystore, truststore and jboss-wsse-client.xml in the META-INF (client is standalone).

Both service and client request messages to be signed.
Tracing the SOAP messages, looks like the client sends a properly signed message, which the service receives, then answers without signing the message.
The client replies with "This service requires <wsse:Security>, which is missing.", which is logical, since the service sent an unsigned message.

If I comment out ((StubExt)wsthree).setConfigName("Standard WSSecurity Client"); in the client, the request-reply goes "perfectly": the client sends an unsigned message, and the service answers with an unsigned message as well.

What is not so clear to me is how to make the web service sign the message -- does it need something else besides the @EndpointConfig annotation and jboss-wsse-server.xml?

Thank you! (And I really apologize if I am asking stupid questions in the wrong direction, I think I've gotten to the point where I can't see the forest because of the trees anymore...)
Actions
5. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi

brettsc Jul 10, 2008 4:48 PM (in response to timeagentess)
Any followup to this?

I'm in a similar situation, I've taken a working EJB-backed web service, added a @EndpointConfig and a /META-INF/jboss-wsse-server.xml that should require a plaintext username token. Testing with soapUi shows that no username token is required when I expected it to fail and require the username.

Did I miss a step?
1) add @EndpointConfig(configName = "Standard WSSecurity Endpoint")
2) create jboss-wsse-server.xml with
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <config> <timestamp ttl="300"/> <requires/> </config> </jboss-ws-security>

Client app should fail since I haven't configured it to send any username token at this point.

-Brett
Actions
6. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi

timeagentess Jul 11, 2008 4:55 AM (in response to timeagentess)
I've been following the posts of helmutdoe and xinhua earlier, and Alessio Soldano seemed to suggest this might be a bug: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=138474
(just scroll down to Alessio's reply)

No JIRA issues have been created yet, however, so I have no idea. I have certainly not managed to solve this yet :)

Regarding your jboss-wsse-server.xml config, I am not sure, but shouldn't you have something like this:
<config> [...] <requires> <signature/> </requires> </config>

to require a signature, for instance? At any rate, my guess is that the "requires" tag should not be empty. I think your endpoint does not know it is supposed to require a username token.
If you manage to make some progress, please do share! :)
Actions
7. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi

brettsc Jul 11, 2008 12:42 PM (in response to timeagentess)

One step forward....YAY.

So in reviewing the server.log file I noticed that despite my adding the @EndpointConfig tag, the "ServerEndpointMetaData:" still showed "configName=Standard Endpoint"

This seemed wrong to me :) so after moving the @EndpointConfig to the EJB implementation class, voila I now get, "org.jboss.ws.core.CommonSOAPFaultException: This service requires <wsse:Security>, which is missing."

As to the jboss-wsse-server.xml config, it seemed odd to me as well that the "requires" tag was empty but that how it is documented at
http://jbws.dyndns.org/mediawiki/index.php?title=WS-Security_options#Username_Token_Authentication

As a side note I did at least find the xsd file that documents the config section. It is located in the jbossws-core.jar. Didn't find any documentation on the site that details that so I thought I'd toss it in here for future reference.

Also a bug report that alludes to JAAS integration only for SLSB which could be a problem as well
http://jira.jboss.org/jira/browse/JBWS-1999

Now to get it to actually accept the username token.

-Brett
Actions
8. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi

brettsc Jul 15, 2008 12:16 PM (in response to timeagentess)

+1 for http://jira.jboss.org/jira/browse/JBWS-2189?page=all

Almost got the username token working but the lack of an EncodingType attribute causes it to fail. Any idea on when 3.0.3 will be available?
Actions

Go to original post