6 Replies Latest reply on Dec 16, 2010 4:03 AM by asoldano

    Securing a Web Service

    fabboco

      Hi,

       


      I am getting crazy trying to secure a Web Service using WS-Security.

       

      I am following this tutorial (which is the only I have found that is almost complete !!!):

       

      http://www.developer.com//java/other/article.php/3802631/Securing-Web-Services-in-JBoss-Application-Server-with-WS-Security.htm

       

      When I try to call the secured web service from the client using the following command:

       

       

      wsclient.sh -jar myjar.jar ...Client
      

       

      I get the error:

       

       

      Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: This service requires <wsse:Security>, which is missing.
              at org.jboss.ws.core.jaxws.SOAPFaultHelperJAXWS.getSOAPFaultException(SOAPFaultHelperJAXWS.java:84)
              at org.jboss.ws.core.jaxws.binding.SOAP11BindingJAXWS.throwFaultException(SOAP11BindingJAXWS.java:107)
              at org.jboss.ws.core.CommonSOAPBinding.unbindResponseMessage(CommonSOAPBinding.java:579)
              at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:381)
              at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:290)
              at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:170)
              at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:150)
              at $Proxy8.sayHello(Unknown Source)
      

       

      and this appears on the jboss console:

       

      10:50:53,318 ERROR [HandlerChainExecutor] Exception during handler processing
      org.jboss.ws.core.CommonSOAPFaultException: This service requires <wsse:Security>, which is missing.
              at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(WSSecurityDispatcher.java:264)
              at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:94)  
              at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:81)
              at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:39)
              at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:53)                            
              at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:305)            
              at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:142)            
              at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)   
              at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:125)     
              at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:172)                      
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:474)                      
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)                       
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)                              
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)                   
              at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85)                
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)                                                 
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)            
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)                    
              at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)                           
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)            
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)                    
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)                          
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)                          
              at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)             
              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)                              
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)  
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)                                      
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)                                      
              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)                      
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)                                  
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)                                        
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)                                         
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)                   
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)                                            
              at java.lang.Thread.run(Thread.java:619)                                                                              
      10:50:53,319 ERROR [SOAPFaultHelperJAXWS] SOAP request exception                                                              
      org.jboss.ws.core.CommonSOAPFaultException: This service requires <wsse:Security>, which is missing.                          
              at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(WSSecurityDispatcher.java:264)                
              at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:94)                  
              at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:81)          
              at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:39)      
              at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:53)                                  
              at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:305)                  
              at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:142)                  
              at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)         
              at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:125)           
              at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:172)                            
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:474)                            
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)                             
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)                                    
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)                         
              at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85)                      
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)                                                       
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)                  
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)                          
              at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)                                 
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)                  
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)                          
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)                                
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)                                
              at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
              at java.lang.Thread.run(Thread.java:619)
      10:50:53,322 ERROR [SOAPFaultHelperJAXRPC] SOAP request exception
      javax.xml.rpc.soap.SOAPFaultException: This service requires <wsse:Security>, which is missing.
              at org.jboss.ws.core.jaxrpc.SOAPFaultHelperJAXRPC.exceptionToFaultMessage(SOAPFaultHelperJAXRPC.java:189)
              at org.jboss.ws.core.jaxws.SOAPFaultHelperJAXWS.exceptionToFaultMessage(SOAPFaultHelperJAXWS.java:183)
              at org.jboss.ws.core.jaxws.binding.SOAP11BindingJAXWS.createFaultMessageFromException(SOAP11BindingJAXWS.java:102)
              at org.jboss.ws.core.CommonSOAPBinding.bindFaultMessage(CommonSOAPBinding.java:671)
              at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:285)
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:474)
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)
              at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)
              at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
              at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
              at java.lang.Thread.run(Thread.java:619)
      

       

      It looks like that the client is not properly configured.

       

      Can anyone help me to understand what is going wrong ?

       

      Can anyone point me to a working tutorial or better to a working sample code ?

       

      My environment is:

       

      1) Jboss-5.1.0.GA

      2) JDK 1.6.0_12-b04

       

       

      Thank you.

       

      Regards

       

      Fab.

        • 1. Re: Securing a Web Service
          fabboco

          Anyone ?

           

          Please, at least let me know what procedure or tool use to find out what's wrong.

          • 2. Re: Securing a Web Service
            earnest.dyke

            Do you have a jboss-wsee-client.xml on your classpath? This is what tells the client to generate the wsse:Security tags.

             

            Earnie!

            • 3. Re: Securing a Web Service
              fabboco

              Earnie,

               

              thank you for your answer.

               

              I put everything in a jar file and the file you mentioned is in the META-INF directory. That what the tutorial I have found suggests.

               

              Fab.

              • 4. Re: Securing a Web Service
                earnest.dyke

                Fab,

                 

                Make sure your jboss-wsse-client.xml has <requires><signature/></requires> not just <requires/>. Without this the security handler is never called and thence no wsse entries are added.

                 

                Earnie!

                • 5. Re: Securing a Web Service
                  fabboco

                  Earnie,

                   

                  my jboss-wsse-client.xml contained <requires><encryption/></requires>.

                   

                  I have changed it as you suggested but I get the same error !!

                   

                  This is my updated file.

                   

                   

                  <?xml version="1.0" encoding="UTF-8"?>
                  <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config
                     http://www.jboss.com/ws-security/schema/
                        jboss-ws-security_1_0.xsd">
                      <key-store-file>META-INF/client.keystore</key-store-file>
                      <key-store-password>password</key-store-password>
                      <key-store-type>jks</key-store-type>
                      <trust-store-file>META-INF/client.truststore</trust-store-file>
                      <trust-store-password>password</trust-store-password>
                      <trust-store-type>jks</trust-store-type>
                      <key-passwords>
                          <key-password alias="server" password="password" />
                      </key-passwords>
                      <config>
                          <encrypt type="x509v3" alias="server" />
                          <requires>
                                  <signature />
                          </requires>
                      </config>
                  </jboss-ws-security>
                  

                   

                  Tks

                   

                  Fab.

                  • 6. Re: Securing a Web Service
                    asoldano

                    The mentioned tutorial is quite old ( it references JBossWS 2.x ... )

                    We do have multiple maintained samples in the sources (see jbossws-native testsuite for  instance) that use WS-Security and that you can take a look at.

                    One  of them also comes with a tutorial-like documentation, see  http://community.jboss.org/wiki/JBossWS-Securityandattachmentssample .

                    Besides  that documentation available at [1] and [2], there're also many  user forum discussions on the topic, for instance the one listed above:  http://community.jboss.org/message/338346#338346

                     

                    [1] http://community.jboss.org/wiki/JBossWS-NativeUserGuide#WSSecurity

                    [2] http://community.jboss.org/wiki/JBossWS-WS-Securityoptions