-
1. Re: MTOM + WS Security = problem
Hello,
i did it,
and i got the attachment inlined in the soap body
encrypted (is it right?).
Be sure you annotated the service implementation class@BindingType(javax.xml.ws.soap.SOAPBinding.SOAP11HTTP_MTOM_BINDING) @EndpointConfig(configName = "Standard WSSecurity Endpoint") public class ServiceCipheredSignedImpl implements ServiceCipheredSigned { // Bla bla ... } -
2. Re: MTOM + WS Security = problem
Hello davideling,
Thanks for your reply,
My annotations on my service implementation are:@BindingType(javax.xml.ws.soap.SOAPBinding.SOAP11HTTP_MTOM_BINDING) @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, parameterStyle = SOAPBinding.ParameterStyle.BARE) @EndpointConfig(configName = "Standard WSSecurity Endpoint")
as suggested in http://jbws.dyndns.org/mediawiki/index.php/JAX-WS_User_Guide#MTOM.2FXOP.
If I try your annotations (without @SOAPBinding) I have the same exception:javax.xml.ws.soap.SOAPFaultException: Endpoint {http://foo.org/mtom}ServiceImpl does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData
Now, the weird part: If I disable ws security on the client part, it works (even if on the server side I have @EndpointConfig(configName = "Standard WSSecurity Endpoint")). As I said on my first post, when I activate mtom and ws-security, it seems that only mtom works, so if my client send an encrypted soap message, the server will not know how to handle it and will throws the exception.
You said, you've got the attachment inlined. I don't know what a soap message looks like using mtom + ws security, but mtom is supposed to use multi parts isn't it? So, are you sure that ws security has not disable mtom?
Well, maybe I need to dig more information
:oD. -
3. Re: MTOM + WS Security = problem
Ehm... sorry my last reply was only a code snippet...
Service implementation@WebService(endpointInterface="serviceJBossCipheredSigned.ServiceJBossCipheredSigned", portName="ServiceJBossCipheredSignedSOAP", serviceName="ServiceJBossCipheredSigned" ) @BindingType(javax.xml.ws.soap.SOAPBinding.SOAP11HTTP_MTOM_BINDING) @EndpointConfig(configName = "Standard WSSecurity Endpoint") public class ServiceJBossCipheredSignedImpl implements ServiceJBossCipheredSigned { // bla bla ... }
Service configuration (jboss-wsse-service.xml):<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <key-store-file>WEB-INF/wsse.keystore</key-store-file> <key-store-password>jbossws</key-store-password> <trust-store-file>WEB-INF/wsse.truststore</trust-store-file> <trust-store-password>jbossws</trust-store-password> <config> <encrypt type="x509v3" alias="wsseClient"/> <sign type="x509v3" alias="wsseServer" /> <requires> <signature /> <encryption /> <username /> </requires> </config> </jboss-ws-security>
Client implementation:public void testInvocation() throws Exception { // 1) Service Service service = Service.create( new File("wsdl/mywsdl.wsdl").toURL(), new QName("http://serviceJBossCipheredSigned/", "ServiceJBossCipheredSigned") ); // Configuration file WS-Security ((ServiceExt) service).setSecurityConfig( "META-INF/jboss-wsse-client.xml"); // 2) Port Creation ServiceJBossCipheredSigned port = (ServiceJBossCipheredSigned) service.getPort( new QName("http://serviceJBossCipheredSigned/", "ServiceJBossCipheredSignedSOAP"), ServiceJBossCipheredSigned.class); // Enable MTOM SOAPBinding binding = (SOAPBinding) ((BindingProvider) port).getBinding(); binding.setMTOMEnabled(true); // Enable WS-Security on port ((StubExt) port).setConfigName("Standard WSSecurity Client"); // Set endpoint address Map<String, Object> reqContext = ((BindingProvider)port).getRequestContext(); reqContext.put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "http://bla bla" ); // Set username e password reqContext.put(Stub.USERNAME_PROPERTY, "myUsername"); reqContext.put(Stub.PASSWORD_PROPERTY, "myPassword"); ... bla bla and invocation );
Client configuration<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <key-store-file>META-INF/wsse.keystore</key-store-file> <key-store-password>jbossws</key-store-password> <trust-store-file>META-INF/wsse.truststore</trust-store-file> <trust-store-password>jbossws</trust-store-password> <config> <username/> <encrypt type="x509v3" alias="wsseServer"/> <sign type="x509v3" alias="wsseClient"/> <requires> <signature /> <encryption /> </requires> </config> </jboss-ws-security>
-
4. Re: MTOM + WS Security = problem
Maybe the two standards are not compatible to work together. I didn't found any information that says: no, no, no don't use mtom with ws-security.
Hi mr_d,
MTOM + WS-Security are fully compatible standards. MTOM is a new attachment approach and was designed with WS security in mind. Before MTOM e.g. using standard WS attachments or SWA ref attachments, users were unable to use these attachments in conjunction with WS Security.
With MTOM you can ;-)
Rio -
5. Re: MTOM + WS Security = problem
Ok,
but have the MTOM attachment to be inlined or not
when WS-Security signature or encryption is activated?
Thanks -
6. Re: MTOM + WS Security = problem
Hello,
Thanks for your answers,
@richard_opalka:
I agree, they are compatible, so to use attachments with WS Security, MTOM is the only and right way.
@davideling:
I have the same config. As I said on my first post, mtom only works, and ws security only also works.
Are you sure that your encrypted soap envelope is created using mtom?
Can you post one of your soap messages? And also the parameters of the exposed method or the wsdl file?
I tried to get some soap message examples where mtom + ws security are enabled.
I found two:
-http://wso2.org/files/rampart-tute.pdf [page 81]
-http://msdn2.microsoft.com/en-US/library/aa738574.aspx[bottom of the page]
In these two message, we can see that:
-Content-Type contains "multipart/related" and "type="application/xop+xml"
-In the body of the soap message, there is a "xop:Include" element
-In the body of the soap message, there is a "CipherData" and a "CipherValue" element
-The attachment is in an encrypted mime part
The two first points are the proof that mtom is enabled.
The last ones indicate that ws security is active too.
Im trying to achieve this kind of message with JbossWS. So far, no luck.
:oD. -
7. Re: MTOM + WS Security = problem
Thank you for your links mr_d, they are very interesting.
Now I'm sure that my Web Services behaviour is not correct :-( .
Request HeadersPOST /servizioJBossCipheredSigned/ServizioJBossCipheredSigned?datatype=JBossWSMessage HTTP/1.1 Authorization: Basic bXlVc2VybmFtZTpteVBhc3N3b3Jk SOAPAction: "" Content-Type: text/xml; charset=UTF-8 JBoss-Remoting-Version: 22 User-Agent: JBossRemoting - 2.2.0 SP4 (Bluto) Host: 127.0.0.1:8181 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 503592
Response HeadersHTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200705111440)/Tomcat-5.5 Content-Type: text/xml;charset=UTF-8 Transfer-Encoding: chunked Date: Mon, 25 Jun 2007 13:22:57 GMT
-
8. Re: MTOM + WS Security = problem
Exposed interface method
@WebMethod @WebResult(name="responseMessage") public ResponseMessage eleaborateMessage( @WebParam(name="requestMessage") RequestMessage message);
Request beanpublic class RequestMessage implements Serializable { ... private DataHandler attachment; @XmlMimeType("application/pdf") public DataHandler getAttachment() { return attachment; } public void setAttachment(DataHandler attachment) { this.attachment = attachment; } ... }
The attachment arrive correctly to destination... but it's not an attachment! ;) -
9. Re: MTOM + WS Security = problem
"davideling" wrote:
Ok,
but have the MTOM attachment to be inlined or not
when WS-Security signature or encryption is activated?
Thanks
MTOM attachments do not need to be inlined.
For example Microsoft Indigo and some other Java stacks (I don't know if JBossWS too)
provide some kind of "MTOM SAAJ Text Element",
which contains just MIME attachment id as its content (when you're
sniffing the wire communcation). However from SOAP stack point of view when
some other SAAJ handler that is in the handler chain tries to read
the content of this special text element, it will obtain attachment binary data
encoded in base64 canonical format instead of the attachment id.
However on the wire it goes as the MIME attachment.
This has also some performance consequences. For example if application
sends MTOM in the form of MIME attachment and there's some handler in
the handler chain that needs to work with this MTOM attachment content
(e.g. WSSecurity SAAJ handler), this attachment must be encoded to base64 canonical
format and that value is returned to the requestor. When
processing really big attachments this fact causes real performance issues.
Rio -
10. Re: MTOM + WS Security = problem
Hello Rio,
i agree with You.
Do You know how to develop a
JBossWS Web Service with both attachment and
WS-Security encryption? -
11. Re: MTOM + WS Security = problem
This time I'm trying a simpler example
MTOM/WS-Security onl with username and password
In my service client,
if I comment out// ((StubExt) port).setConfigName("Standard WSSecurity Client");
I get MTOM work correctlyPOST /servizioJBossWSSEAttachment/ServizioWSSEAttachment?datatype=JBossWSMessage HTTP/1.1 Authorization: Basic bXl1c2VybmFtZTpteXBhc3N3b3Jk SOAPAction: "" Content-Type: multipart/related; type="application/xop+xml"; start="<rootpart@ws.jboss.org>"; start-info="text/xml"; boundary="----=_Part_0_31571602.1182853646985" JBoss-Remoting-Version: 22 User-Agent: JBossRemoting - 2.2.0 SP4 (Bluto) Host: localhost:8181 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 453280 ------=_Part_0_31571602.1182853646985 Content-Type: application/xop+xml; type="text/xml" Content-Transfer-Encoding: 8bit Content-ID: <rootpart@ws.jboss.org> <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'><env:Header></env:Header><env:Body><ns1:inputMessage xmlns:ns1="http://www.tai.it/ServizioWSSEAttachment"><attachment><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="cid:attachment-6707b7bd-51d9-4d4f-b133-f0a4774a2874@ws.jboss.org"/></attachment><name>Davide</name><surname>Ling</surname></ns1:inputMessage></env:Body></env:Envelope> ------=_Part_0_31571602.1182853646985 Content-Type: application/octet-stream Content-Transfer-Encoding: binary Content-Id: <attachment-6707b7bd-51d9-4d4f-b133-f0a4774a2874@ws.jboss.org> %PDF-1.4 blablabla...
But if I enable WS-Security MTOM doesn't work any more.
The client doesn't send a multipart related message,
but inserts the xop:include tag with the attachment reference.
I use JBoss 4.2.0 GA, JDK 1.5.0_12 on Linux 32 bitPOST /servizioJBossWSSEAttachment/ServizioWSSEAttachment?datatype=JBossWSMessage HTTP/1.1 Authorization: Basic bXl1c2VybmFtZTpteXBhc3N3b3Jk SOAPAction: "" Content-Type: text/xml; charset=UTF-8 JBoss-Remoting-Version: 22 User-Agent: JBossRemoting - 2.2.0 SP4 (Bluto) Host: localhost:8181 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 828 <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'> <env:Header> <wsse:Security env:mustUnderstand='1' ... > <wsse:UsernameToken wsu:Id='token-1-1182854743065-9708927'> <wsse:Username>myusername</wsse:Username> <wsse:Password>mypassword</wsse:Password> </wsse:UsernameToken></wsse:Security> </env:Header> <env:Body> <ns1:inputMessage xmlns:ns1='http://www.tai.it/ServizioWSSEAttachment'> <attachment> <xop:Include href='cid:attachment-f4e31927-67ed-4162-8a0e-86e53e96b316@ws.jboss.org' xmlns:xop='http://www.w3.org/2004/08/xop/include'/> </attachment> <name>Davide</name> <surname>Ling</surname> </ns1:inputMessage> </env:Body> </env:Envelope>
-
12. Re: MTOM + WS Security = problem
"davideling" wrote:
But if I enable WS-Security MTOM doesn't work any more.
The client doesn't send a multipart related message,
but inserts the xop:include tag with the attachment reference.
I use JBoss 4.2.0 GA, JDK 1.5.0_12 on Linux 32 bit
Hi davideling,
I don't know JBossWS stack very well yet but according to the
attachments you've posted I can see that both MTOM and WSSecurity
handlers when activated create buggy message. Probably MTOM handler is
the first one in the handler chain and it created SOAP message with
attachment and set message type to MULTIPART/RELATED, but next
handler in the chain, i.e. WSSecurity handler, changed message type from
MULTIPART/RELATED to simple SOAP message.
But I'm just guessing. What about debugging JBossWS source code? Did
you try it?
Rio -
13. Re: MTOM + WS Security = problem
I'm sorry Rio, I'm at work now and
I can't look JBossWS sources now.
All I can do now is look at client log4j logs.
If I enable WS-Security I can see this where I can find
two times
...HEADER={SOAPAction="", Content-Type=text/xml...... DEBUG main org.jboss.remoting.MicroRemoteClientInvoker - org.jboss.remoting.transport.http.HTTPClientInvoker@1922f46 connecting DEBUG main org.jboss.remoting.MicroRemoteClientInvoker - org.jboss.remoting.transport.http.HTTPClientInvoker@1922f46 connected DEBUG main org.jboss.ws.core.client.RemotingConnectionImpl - Remoting metadata: {http.basic.password=mypassword, http.basic.username=myusername, HEADER={SOAPAction="", Content-Type=text/xml; charset=UTF-8}, NoThrowOnError=true} DEBUG main org.jboss.remoting.transport.http.HTTPClientInvoker - Setting request header with SOAPAction : "" DEBUG main org.jboss.remoting.transport.http.HTTPClientInvoker - Setting request header with Content-Type : text/xml; charset=UTF-8 DEBUG main org.jboss.ws.core.soap.SOAPContentElement - MTOM enabled: Restore XOP data DEBUG main org.jboss.ws.extensions.xop.XOPContext - Replace base64 representation on element [xmlName=inputMessage] DEBUG main org.jboss.ws.extensions.xop.jaxrpc.XOPMarshallerImpl - serialize: [xmlName=attachment] DEBUG main org.jboss.ws.core.soap.attachment.CIDGenerator - generateFromName: attachment-37b4f42c-7f38-43b1-b905-9e5d3a3b08c8@ws.jboss.org DEBUG main org.jboss.ws.extensions.xop.jaxrpc.XOPMarshallerImpl - Created attachment part attachment-37b4f42c-7f38-43b1-b905-9e5d3a3b08c8@ws.jboss.org, with content-type application/octet-stream DEBUG main org.jboss.ws.extensions.xop.XOPContext - Restored xop:Include element on [xmlName=attachment] DEBUG main org.jboss.ws.core.soap.SOAPMessageUnMarshaller - getMimeHeaders from: {X-Powered-By=[Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200705111440)/Tomcat-5.5], ResponseCodeMessage=OK, http.basic.password=mypassword, Date=[Tue, 26 Jun 2007 13:23:19 GMT], http.basic.username=myusername, Content-Type=[text/xml;charset=UTF-8], Server=[Apache-Coyote/1.1], HEADER={SOAPAction="", Content-Type=text/xml; charset=UTF-8}, Transfer-Encoding=[chunked], NoThrowOnError=true, ResponseCode=200} DEBUG main org.jboss.ws.core.soap.MessageFactoryImpl - createMessage: [contentType=text/xml; charset=UTF-8]
Instead If I disable WS-Security the Content-Type is correct (and type too)... DEBUG main org.jboss.remoting.MicroRemoteClientInvoker - org.jboss.remoting.transport.http.HTTPClientInvoker@82751 connected DEBUG main org.jboss.ws.core.client.RemotingConnectionImpl - Remoting metadata: {http.basic.password=mypassword, http.basic.username=myusername, HEADER={SOAPAction="", Content-Type=multipart/related; type="application/xop+xml"; start="<rootpart@ws.jboss.org>"; start-info="text/xml"; boundary="----=_Part_0_7896086.1182865340817"}, NoThrowOnError=true} DEBUG main org.jboss.remoting.transport.http.HTTPClientInvoker - Setting request header with SOAPAction : "" DEBUG main org.jboss.remoting.transport.http.HTTPClientInvoker - Setting request header with Content-Type : multipart/related; type="application/xop+xml"; start="<rootpart@ws.jboss.org>"; start-info="text/xml"; boundary="----=_Part_0_7896086.1182865340817" DEBUG main org.jboss.ws.core.soap.SOAPMessageUnMarshaller - getMimeHeaders from: {Connection=[close], X-Powered-By=[Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200705111440)/Tomcat-5.5], ResponseCodeMessage=Internal Server Error, http.basic.password=mypassword, Date=[Tue, 26 Jun 2007 13:42:21 GMT], http.basic.username=myusername, Content-Type=[text/xml;charset=UTF-8], Server=[Apache-Coyote/1.1], HEADER={SOAPAction="", Content-Type=multipart/related; type="application/xop+xml"; start="<rootpart@ws.jboss.org>"; start-info="text/xml"; boundary="----=_Part_0_7896086.1182865340817"}, Transfer-Encoding=[chunked], NoThrowOnError=true, ResponseCode=500} DEBUG main org.jboss.ws.core.soap.MessageFactoryImpl - createMessage: [contentType=text/xml; charset=UTF-8] ... -
14. Re: MTOM + WS Security = problem
Hello!
Thanks for your answers,"richard_opalka" wrote:
MTOM attachments do not need to be inlined.
I agree, but if mtom is used and it is inlined, I don't see the point of using mtom: we can have the binary parameter inlined like the others. I thought that one of the advantages of mtom was to use xop which describes how to package binary data as an attachment.
@davideling
I have exactly the same config as you, same Jboss version and JbossWS version. I have also a method with a bean which contains a DataHandler (annoted). But no luck, I get always the same exception.javax.xml.ws.soap.SOAPFaultException: Endpoint {http://foo.org/mtom}ServiceImpl does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData
But this problem doesn't change the main problem: to use mtom + ws security with jbossws. I will take a look to the sources when I got time.
:oD.