5 Replies Latest reply on Jul 30, 2009 2:31 AM by beve

    WSSecurityInfoExtractor problem

    michal.domagala

      Hi All,

      I've got a problem implementing a web service using JBoss ESB. I've implemented the service according to the received wsdl specification. I used jboss-ws and a jbr provider/listener. The key elements of the configuration are as follows:

      <jbr-provider name="JBR-Http" protocol="http" host="0.0.0.0">
       <jbr-bus busid="Http-9001" port="9001" />
      </jbr-provider>
      ...
      <listeners>
       <jbr-listener name="Http-Gateway" busidref="Http-9001" is-gateway="true" />
      
       <jms-listener name="JMS-ESBListener" busidref="sproJMSChannel" />
      </listeners>
      ...
      <action name="processSoap" class="org.jboss.soa.esb.actions.soap.SOAPProcessor">
       <property name="jbossws-endpoint" value="MyEndpoint" />
      </action>
      


      When I invoke the service JBoss ESB thows something like:
      [JBossRemotingGatewayListener] JBoss Remoting Gateway failed to synchronously deliver message to target service [SympacB2B:ComarchBSFacade].
      org.milyn.SmooksException: Unable to filter InputStream for target profile [org.milyn.profile.Profile#default_profile].
       at org.milyn.delivery.dom.SmooksDOMFilter.filter(SmooksDOMFilter.java:290)
       at org.milyn.delivery.dom.SmooksDOMFilter.doFilter(SmooksDOMFilter.java:238)
       at org.milyn.Smooks._filter(Smooks.java:341)
       at org.milyn.Smooks.filter(Smooks.java:319)
       at org.milyn.Smooks.filter(Smooks.java:292)
       at org.jboss.soa.esb.services.security.auth.ws.WSSecurityInfoExtractor.extractSecurityInfo(WSSecurityInfoExtractor.java:97)
       at org.jboss.soa.esb.listeners.gateway.JBossRemotingGatewayListener$JBossRemotingMessageComposer.populateMessage(JBossRemotingGatewayListener.java:534)
       at org.jboss.soa.esb.listeners.gateway.JBossRemotingGatewayListener$JBossRemotingMessageComposer.populateMessage(JBossRemotingGatewayListener.java:494)
      


      The SOAP message body I use contains a <ns:Username> xml element. When such an element is used in a soap message (regardless of the namespace) JbossESB goes crazy and tries to use it as authentication information.

      As far as I can tell, the problem lies in WSSecurityInfoExtractor which uses preconfigured smooks to retrieve authentication info from the soap message. I have absolutely no intention of using <ns:Username> tag this way and have no idea how to override this behavior.

      Any suggestions? Changing the wsdl is not an option ;-)

        • 1. Re: WSSecurityInfoExtractor problem
          beve

          Hi,

          could you post an example of your SOAP Message (or send it to me) and I'll take a look.

          Thanks,

          /Daniel

          • 2. Re: WSSecurityInfoExtractor problem
            michal.domagala

            A sample message:

            <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:fac="http://my-supercool-namespace/">
             <soapenv:Header/>
             <soapenv:Body>
             <fac:GetConfigList>
             <fac:req>
             <fac:CustomerId>123</fac:CustomerId>
             <fac:UserName>John</fac:UserName>
             <fac:MaxNumRows>100</fac:MaxNumRows>
             </fac:req>
             </fac:GetConfigList>
             </soapenv:Body>
            </soapenv:Envelope>
            


            Frankly, the described behavior looks like a bug, either in Smooks or in ESB config (smooks-ws-security.xml in jbossesb-rosetta.jar). Even if there's no way to prevent JBoss from extracting the security info I'd imaging that smooks should analyze only the soap header, not the body. And as far as I understand the smooks config file smooks-ws-security.xml it seems to confirm my assumption (see: the selector)

            <resource-config selector="Envelope/Header/Security/UsernameToken">
             <resource>org.milyn.javabean.BeanPopulator</resource>
             <param name="beanId">userNameToken</param>
             <param name="beanClass">org.jboss.soa.esb.services.security.auth.ws.UsernameToken</param>
             <param name="bindings">
             <binding property="userName" selector="Username" default="" />
             <binding property="password" selector="Password" />
             </param>
            </resource-config>


            BTW: I use jbossesb-server-4.5.GA (with smooks version 1.1.1)

            • 3. Re: WSSecurityInfoExtractor problem
              beve

               

              Frankly, the described behavior looks like a bug, either in Smooks or in ESB config (smooks-ws-security.xml in jbossesb-rosetta.jar). Even if there's no way to prevent JBoss from extracting the security info I'd imaging that smooks should analyze only the soap header, not the body. And as far as I understand the smooks config file smooks-ws-security.xml it seems to confirm my assumption (see: the selector)

              Yeah, you are right about that. Sorry for this.

              Could you try updating org/jboss/soa/esb/services/security/auth/ws/smooks-ws-security.xml in deploy/jbossesb.sar/lib/jbossesb-rosetta.jar with this:
              <?xml version="1.0"?>
              <smooks-resource-list xmlns="http://www.milyn.org/xsd/smooks-1.0.xsd">
              
               <resource-config selector="global-parameters">
               <param name="stream.filter.type">SAX</param>
               </resource-config>
              
               <resource-config selector="/Envelope/Header/Security/UsernameToken">
               <resource>org.milyn.javabean.BeanPopulator</resource>
               <param name="beanId">userNameToken</param>
               <param name="beanClass">org.jboss.soa.esb.services.security.auth.ws.UsernameToken</param>
               <param name="bindings">
               <binding property="userName" selector="/Envelope/Header/Security/UsernameToken/Username" default="" />
               <binding property="password" selector="/Envelope/Header/Security/UsernameToken/Password" />
               </param>
               </resource-config>
              
               <resource-config selector="/Envelope/Header/Security/BinarySecurityToken">
               <resource>org.milyn.javabean.BeanPopulator</resource>
               <param name="beanId">binarySecurityToken</param>
               <param name="beanClass">org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken</param>
               <param name="bindings">
               <binding property="encodingType" selector="/Envelope/Header/Security/BinarySecurityToken/@EncodingType" />
               <binding property="valueType" selector="/Envelope/Header/Security/BinarySecurityToken/@ValueType" />
               <binding property="key" selector="/Envelope/Header/Security/BinarySecurityToken" />
               </param>
               </resource-config>
              
              </smooks-resource-list>

              This would support your example and also a body looking like this:
              <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:fac="http://my-supercool-namespace/">
               <soapenv:Header/>
               <soapenv:Body>
               <fac:GetConfigList>
               <fac:req>
               <fac:CustomerId>123</fac:CustomerId>
               <fac:UserName>John</fac:UserName>
               <fac:MaxNumRows>100</fac:MaxNumRows>
               </fac:req>
               <fac:UsernameToken>
               <fac:UserName>John</fac:UserName>
               </fac:UsernameToken>
               </fac:GetConfigList>
               </soapenv:Body>
              </soapenv:Envelope>


              I'll create a jira for this so that it can be tracked.
              Thanks for reporting this and sorry for the inconvenience.

              Regards,

              /Daniel

              • 4. Re: WSSecurityInfoExtractor problem
                michal.domagala

                Awesome! Looks like it works alright.

                Thanks a lot for your help!

                All the best,
                Michal

                • 5. Re: WSSecurityInfoExtractor problem
                  beve

                  Hi Michal,

                  glad to hear that it work:)

                  Here is the jira for this issue: https://jira.jboss.org/jira/browse/JBESB-2763
                  I'm going to add namespaces for the elements as well so that we are guaranteed this will not happen again.

                  Regards,

                  /Daniel