1 2 Previous Next 20 Replies Latest reply on Feb 26, 2008 12:41 PM by Martin Rostan

    MTOM + WS Security = problem

    Jean Louis Newbie

      Hello,

      Has anyone tried to have a web service with mtom *and* ws security activated?

      I did some tests with a web service as an ejb3 stateless bean and a Java standalone client (using the client parts of JbossWS): mtom only works, ws-security only works. But when I enable both, I get an exception:

      javax.xml.ws.soap.SOAPFaultException: Endpoint {http://foo.org/mtom}ServiceImpl does not contain
      operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData

      If I inspect the network communication, the client seems to use ws-security and put all the data as an encrypted envelope. There is no binary attachment anymore. On the server side, it seems that ws-security cannot be enabled with mtom, as the exception suggests.

      Maybe the two standards are not compatible to work together. I didn't found any information that says: no, no, no don't use mtom with ws-security.

      Thanks in advance for any enlightenment,

      Let me know if my description is not clear enough,

      best regards,

      :oD.

        • 1. Re: MTOM + WS Security = problem
          Davide Ling Newbie

          Hello,
          i did it,
          and i got the attachment inlined in the soap body
          encrypted (is it right?).

          Be sure you annotated the service implementation class

          @BindingType(javax.xml.ws.soap.SOAPBinding.SOAP11HTTP_MTOM_BINDING)
          @EndpointConfig(configName = "Standard WSSecurity Endpoint")
          public class ServiceCipheredSignedImpl implements
           ServiceCipheredSigned {
          
           // Bla bla ...
          
          }
          


          • 2. Re: MTOM + WS Security = problem
            Jean Louis Newbie

            Hello davideling,

            Thanks for your reply,

            My annotations on my service implementation are:

            @BindingType(javax.xml.ws.soap.SOAPBinding.SOAP11HTTP_MTOM_BINDING)
            @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, parameterStyle = SOAPBinding.ParameterStyle.BARE)
            @EndpointConfig(configName = "Standard WSSecurity Endpoint")
            


            as suggested in http://jbws.dyndns.org/mediawiki/index.php/JAX-WS_User_Guide#MTOM.2FXOP.

            If I try your annotations (without @SOAPBinding) I have the same exception:

            javax.xml.ws.soap.SOAPFaultException: Endpoint {http://foo.org/mtom}ServiceImpl does not contain
            operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData
            


            Now, the weird part: If I disable ws security on the client part, it works (even if on the server side I have @EndpointConfig(configName = "Standard WSSecurity Endpoint")). As I said on my first post, when I activate mtom and ws-security, it seems that only mtom works, so if my client send an encrypted soap message, the server will not know how to handle it and will throws the exception.

            You said, you've got the attachment inlined. I don't know what a soap message looks like using mtom + ws security, but mtom is supposed to use multi parts isn't it? So, are you sure that ws security has not disable mtom?

            Well, maybe I need to dig more information

            :oD.


            • 3. Re: MTOM + WS Security = problem
              Davide Ling Newbie

              Ehm... sorry my last reply was only a code snippet...

              Service implementation

              @WebService(endpointInterface="serviceJBossCipheredSigned.ServiceJBossCipheredSigned",
               portName="ServiceJBossCipheredSignedSOAP",
               serviceName="ServiceJBossCipheredSigned"
              )
              @BindingType(javax.xml.ws.soap.SOAPBinding.SOAP11HTTP_MTOM_BINDING)
              @EndpointConfig(configName = "Standard WSSecurity Endpoint")
              public class ServiceJBossCipheredSignedImpl implements
               ServiceJBossCipheredSigned {
               // bla bla ...
              }
              


              Service configuration (jboss-wsse-service.xml):
              <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
               <key-store-file>WEB-INF/wsse.keystore</key-store-file>
               <key-store-password>jbossws</key-store-password>
               <trust-store-file>WEB-INF/wsse.truststore</trust-store-file>
               <trust-store-password>jbossws</trust-store-password>
               <config>
               <encrypt type="x509v3" alias="wsseClient"/>
               <sign type="x509v3" alias="wsseServer" />
               <requires>
               <signature />
               <encryption />
               <username />
               </requires>
               </config>
              </jboss-ws-security>
              


              Client implementation:
              public void testInvocation() throws Exception {
              
               // 1) Service
               Service service = Service.create(
               new File("wsdl/mywsdl.wsdl").toURL(),
               new QName("http://serviceJBossCipheredSigned/",
               "ServiceJBossCipheredSigned")
               );
              
               // Configuration file WS-Security
               ((ServiceExt) service).setSecurityConfig(
               "META-INF/jboss-wsse-client.xml");
              
               // 2) Port Creation
               ServiceJBossCipheredSigned port = (ServiceJBossCipheredSigned)
               service.getPort(
               new QName("http://serviceJBossCipheredSigned/",
               "ServiceJBossCipheredSignedSOAP"),
               ServiceJBossCipheredSigned.class);
              
               // Enable MTOM
               SOAPBinding binding =
               (SOAPBinding) ((BindingProvider) port).getBinding();
               binding.setMTOMEnabled(true);
              
               // Enable WS-Security on port
               ((StubExt) port).setConfigName("Standard WSSecurity Client");
              
               // Set endpoint address
               Map<String, Object> reqContext =
               ((BindingProvider)port).getRequestContext();
               reqContext.put(
               BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
               "http://bla bla"
               );
              
               // Set username e password
               reqContext.put(Stub.USERNAME_PROPERTY, "myUsername");
               reqContext.put(Stub.PASSWORD_PROPERTY, "myPassword");
              
               ... bla bla and invocation
              
               );
              


              Client configuration
              <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
              
               <key-store-file>META-INF/wsse.keystore</key-store-file>
               <key-store-password>jbossws</key-store-password>
               <trust-store-file>META-INF/wsse.truststore</trust-store-file>
               <trust-store-password>jbossws</trust-store-password>
              
               <config>
               <username/>
               <encrypt type="x509v3" alias="wsseServer"/>
               <sign type="x509v3" alias="wsseClient"/>
               <requires>
               <signature />
               <encryption />
               </requires>
               </config>
              
              </jboss-ws-security>
              


              • 4. Re: MTOM + WS Security = problem
                Richard Opalka Newbie

                Maybe the two standards are not compatible to work together. I didn't found any information that says: no, no, no don't use mtom with ws-security.

                Hi mr_d,

                MTOM + WS-Security are fully compatible standards. MTOM is a new attachment approach and was designed with WS security in mind. Before MTOM e.g. using standard WS attachments or SWA ref attachments, users were unable to use these attachments in conjunction with WS Security.
                With MTOM you can ;-)

                Rio

                • 5. Re: MTOM + WS Security = problem
                  Davide Ling Newbie

                  Ok,
                  but have the MTOM attachment to be inlined or not
                  when WS-Security signature or encryption is activated?

                  Thanks

                  • 6. Re: MTOM + WS Security = problem
                    Jean Louis Newbie

                    Hello,

                    Thanks for your answers,

                    @richard_opalka:
                    I agree, they are compatible, so to use attachments with WS Security, MTOM is the only and right way.

                    @davideling:
                    I have the same config. As I said on my first post, mtom only works, and ws security only also works.

                    Are you sure that your encrypted soap envelope is created using mtom?
                    Can you post one of your soap messages? And also the parameters of the exposed method or the wsdl file?

                    I tried to get some soap message examples where mtom + ws security are enabled.
                    I found two:
                    -http://wso2.org/files/rampart-tute.pdf [page 81]
                    -http://msdn2.microsoft.com/en-US/library/aa738574.aspx[bottom of the page]

                    In these two message, we can see that:

                    -Content-Type contains "multipart/related" and "type="application/xop+xml"
                    -In the body of the soap message, there is a "xop:Include" element
                    -In the body of the soap message, there is a "CipherData" and a "CipherValue" element
                    -The attachment is in an encrypted mime part

                    The two first points are the proof that mtom is enabled.
                    The last ones indicate that ws security is active too.

                    Im trying to achieve this kind of message with JbossWS. So far, no luck.

                    :oD.

                    • 7. Re: MTOM + WS Security = problem
                      Davide Ling Newbie

                      Thank you for your links mr_d, they are very interesting.

                      Now I'm sure that my Web Services behaviour is not correct :-( .

                      Request Headers

                      POST /servizioJBossCipheredSigned/ServizioJBossCipheredSigned?datatype=JBossWSMessage HTTP/1.1
                      
                      Authorization: Basic bXlVc2VybmFtZTpteVBhc3N3b3Jk
                      
                      SOAPAction: ""
                      
                      Content-Type: text/xml; charset=UTF-8
                      
                      JBoss-Remoting-Version: 22
                      
                      User-Agent: JBossRemoting - 2.2.0 SP4 (Bluto)
                      
                      Host: 127.0.0.1:8181
                      
                      Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
                      
                      Connection: keep-alive
                      
                      Content-Length: 503592
                      


                      Response Headers
                      HTTP/1.1 200 OK
                      
                      Server: Apache-Coyote/1.1
                      
                      X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200705111440)/Tomcat-5.5
                      
                      Content-Type: text/xml;charset=UTF-8
                      
                      Transfer-Encoding: chunked
                      
                      Date: Mon, 25 Jun 2007 13:22:57 GMT
                      
                      


                      • 8. Re: MTOM + WS Security = problem
                        Davide Ling Newbie

                        Exposed interface method

                         @WebMethod
                         @WebResult(name="responseMessage")
                         public ResponseMessage eleaborateMessage(
                         @WebParam(name="requestMessage")
                         RequestMessage message);
                        


                        Request bean

                        public class RequestMessage implements Serializable {
                        
                         ...
                        
                         private DataHandler attachment;
                        
                         @XmlMimeType("application/pdf")
                         public DataHandler getAttachment() {
                         return attachment;
                         }
                        
                         public void setAttachment(DataHandler attachment) {
                         this.attachment = attachment;
                         }
                        
                         ...
                        
                        }
                        


                        The attachment arrive correctly to destination... but it's not an attachment! ;)


                        • 9. Re: MTOM + WS Security = problem
                          Richard Opalka Newbie

                           

                          "davideling" wrote:
                          Ok,
                          but have the MTOM attachment to be inlined or not
                          when WS-Security signature or encryption is activated?

                          Thanks


                          MTOM attachments do not need to be inlined.

                          For example Microsoft Indigo and some other Java stacks (I don't know if JBossWS too)
                          provide some kind of "MTOM SAAJ Text Element",
                          which contains just MIME attachment id as its content (when you're
                          sniffing the wire communcation). However from SOAP stack point of view when
                          some other SAAJ handler that is in the handler chain tries to read
                          the content of this special text element, it will obtain attachment binary data
                          encoded in base64 canonical format instead of the attachment id.
                          However on the wire it goes as the MIME attachment.

                          This has also some performance consequences. For example if application
                          sends MTOM in the form of MIME attachment and there's some handler in
                          the handler chain that needs to work with this MTOM attachment content
                          (e.g. WSSecurity SAAJ handler), this attachment must be encoded to base64 canonical
                          format and that value is returned to the requestor. When
                          processing really big attachments this fact causes real performance issues.

                          Rio

                          • 10. Re: MTOM + WS Security = problem
                            Davide Ling Newbie

                            Hello Rio,
                            i agree with You.

                            Do You know how to develop a
                            JBossWS Web Service with both attachment and
                            WS-Security encryption?

                            • 11. Re: MTOM + WS Security = problem
                              Davide Ling Newbie

                              This time I'm trying a simpler example
                              MTOM/WS-Security onl with username and password

                              In my service client,
                              if I comment out

                              // ((StubExt) port).setConfigName("Standard WSSecurity Client");


                              I get MTOM work correctly

                              POST /servizioJBossWSSEAttachment/ServizioWSSEAttachment?datatype=JBossWSMessage HTTP/1.1
                              Authorization: Basic bXl1c2VybmFtZTpteXBhc3N3b3Jk
                              SOAPAction: ""
                              Content-Type: multipart/related; type="application/xop+xml"; start="<rootpart@ws.jboss.org>";
                               start-info="text/xml";
                               boundary="----=_Part_0_31571602.1182853646985"
                              JBoss-Remoting-Version: 22
                              User-Agent: JBossRemoting - 2.2.0 SP4 (Bluto)
                              Host: localhost:8181
                              Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
                              Connection: keep-alive
                              Content-Length: 453280
                              
                              
                              ------=_Part_0_31571602.1182853646985
                              Content-Type: application/xop+xml; type="text/xml"
                              Content-Transfer-Encoding: 8bit
                              Content-ID: <rootpart@ws.jboss.org>
                              
                              <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'><env:Header></env:Header><env:Body><ns1:inputMessage xmlns:ns1="http://www.tai.it/ServizioWSSEAttachment"><attachment><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="cid:attachment-6707b7bd-51d9-4d4f-b133-f0a4774a2874@ws.jboss.org"/></attachment><name>Davide</name><surname>Ling</surname></ns1:inputMessage></env:Body></env:Envelope>
                              ------=_Part_0_31571602.1182853646985
                              Content-Type: application/octet-stream
                              Content-Transfer-Encoding: binary
                              Content-Id: <attachment-6707b7bd-51d9-4d4f-b133-f0a4774a2874@ws.jboss.org>
                              
                              %PDF-1.4
                              blablabla...
                              


                              But if I enable WS-Security MTOM doesn't work any more.
                              The client doesn't send a multipart related message,
                              but inserts the xop:include tag with the attachment reference.

                              I use JBoss 4.2.0 GA, JDK 1.5.0_12 on Linux 32 bit

                              POST /servizioJBossWSSEAttachment/ServizioWSSEAttachment?datatype=JBossWSMessage HTTP/1.1
                              Authorization: Basic bXl1c2VybmFtZTpteXBhc3N3b3Jk
                              SOAPAction: ""
                              Content-Type: text/xml; charset=UTF-8
                              JBoss-Remoting-Version: 22
                              User-Agent: JBossRemoting - 2.2.0 SP4 (Bluto)
                              Host: localhost:8181
                              Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
                              Connection: keep-alive
                              Content-Length: 828
                              
                              <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
                              <env:Header>
                              <wsse:Security env:mustUnderstand='1' ... >
                              <wsse:UsernameToken wsu:Id='token-1-1182854743065-9708927'>
                              <wsse:Username>myusername</wsse:Username>
                              <wsse:Password>mypassword</wsse:Password>
                              </wsse:UsernameToken></wsse:Security>
                              </env:Header>
                              <env:Body>
                              <ns1:inputMessage xmlns:ns1='http://www.tai.it/ServizioWSSEAttachment'>
                              <attachment>
                              <xop:Include href='cid:attachment-f4e31927-67ed-4162-8a0e-86e53e96b316@ws.jboss.org' xmlns:xop='http://www.w3.org/2004/08/xop/include'/>
                              </attachment>
                              <name>Davide</name>
                              <surname>Ling</surname>
                              </ns1:inputMessage>
                              </env:Body>
                              </env:Envelope>
                              



                              • 12. Re: MTOM + WS Security = problem
                                Richard Opalka Newbie

                                 

                                "davideling" wrote:

                                But if I enable WS-Security MTOM doesn't work any more.
                                The client doesn't send a multipart related message,
                                but inserts the xop:include tag with the attachment reference.

                                I use JBoss 4.2.0 GA, JDK 1.5.0_12 on Linux 32 bit


                                Hi davideling,

                                I don't know JBossWS stack very well yet but according to the
                                attachments you've posted I can see that both MTOM and WSSecurity
                                handlers when activated create buggy message. Probably MTOM handler is
                                the first one in the handler chain and it created SOAP message with
                                attachment and set message type to MULTIPART/RELATED, but next
                                handler in the chain, i.e. WSSecurity handler, changed message type from
                                MULTIPART/RELATED to simple SOAP message.

                                But I'm just guessing. What about debugging JBossWS source code? Did
                                you try it?

                                Rio

                                • 13. Re: MTOM + WS Security = problem
                                  Davide Ling Newbie

                                  I'm sorry Rio, I'm at work now and
                                  I can't look JBossWS sources now.

                                  All I can do now is look at client log4j logs.

                                  If I enable WS-Security I can see this where I can find
                                  two times
                                  ...HEADER={SOAPAction="", Content-Type=text/xml...

                                  ...
                                  DEBUG main org.jboss.remoting.MicroRemoteClientInvoker - org.jboss.remoting.transport.http.HTTPClientInvoker@1922f46 connecting
                                  DEBUG main org.jboss.remoting.MicroRemoteClientInvoker - org.jboss.remoting.transport.http.HTTPClientInvoker@1922f46 connected
                                  DEBUG main org.jboss.ws.core.client.RemotingConnectionImpl - Remoting metadata: {http.basic.password=mypassword, http.basic.username=myusername, HEADER={SOAPAction="", Content-Type=text/xml; charset=UTF-8}, NoThrowOnError=true}
                                  DEBUG main org.jboss.remoting.transport.http.HTTPClientInvoker - Setting request header with SOAPAction : ""
                                  DEBUG main org.jboss.remoting.transport.http.HTTPClientInvoker - Setting request header with Content-Type : text/xml; charset=UTF-8
                                  DEBUG main org.jboss.ws.core.soap.SOAPContentElement - MTOM enabled: Restore XOP data
                                  DEBUG main org.jboss.ws.extensions.xop.XOPContext - Replace base64 representation on element [xmlName=inputMessage]
                                  DEBUG main org.jboss.ws.extensions.xop.jaxrpc.XOPMarshallerImpl - serialize: [xmlName=attachment]
                                  DEBUG main org.jboss.ws.core.soap.attachment.CIDGenerator - generateFromName: attachment-37b4f42c-7f38-43b1-b905-9e5d3a3b08c8@ws.jboss.org
                                  DEBUG main org.jboss.ws.extensions.xop.jaxrpc.XOPMarshallerImpl - Created attachment part attachment-37b4f42c-7f38-43b1-b905-9e5d3a3b08c8@ws.jboss.org, with content-type application/octet-stream
                                  DEBUG main org.jboss.ws.extensions.xop.XOPContext - Restored xop:Include element on [xmlName=attachment]
                                  DEBUG main org.jboss.ws.core.soap.SOAPMessageUnMarshaller - getMimeHeaders from: {X-Powered-By=[Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200705111440)/Tomcat-5.5], ResponseCodeMessage=OK, http.basic.password=mypassword, Date=[Tue, 26 Jun 2007 13:23:19 GMT], http.basic.username=myusername, Content-Type=[text/xml;charset=UTF-8], Server=[Apache-Coyote/1.1], HEADER={SOAPAction="", Content-Type=text/xml; charset=UTF-8}, Transfer-Encoding=[chunked], NoThrowOnError=true, ResponseCode=200}
                                  DEBUG main org.jboss.ws.core.soap.MessageFactoryImpl - createMessage: [contentType=text/xml; charset=UTF-8]
                                  


                                  Instead If I disable WS-Security the Content-Type is correct (and type too)

                                  ...
                                  DEBUG main org.jboss.remoting.MicroRemoteClientInvoker - org.jboss.remoting.transport.http.HTTPClientInvoker@82751 connected
                                  DEBUG main org.jboss.ws.core.client.RemotingConnectionImpl - Remoting metadata: {http.basic.password=mypassword, http.basic.username=myusername, HEADER={SOAPAction="", Content-Type=multipart/related; type="application/xop+xml"; start="<rootpart@ws.jboss.org>";
                                  
                                   start-info="text/xml";
                                  
                                   boundary="----=_Part_0_7896086.1182865340817"}, NoThrowOnError=true}
                                  DEBUG main org.jboss.remoting.transport.http.HTTPClientInvoker - Setting request header with SOAPAction : ""
                                  DEBUG main org.jboss.remoting.transport.http.HTTPClientInvoker - Setting request header with Content-Type : multipart/related; type="application/xop+xml"; start="<rootpart@ws.jboss.org>";
                                  
                                   start-info="text/xml";
                                  
                                   boundary="----=_Part_0_7896086.1182865340817"
                                  DEBUG main org.jboss.ws.core.soap.SOAPMessageUnMarshaller - getMimeHeaders from: {Connection=[close], X-Powered-By=[Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200705111440)/Tomcat-5.5], ResponseCodeMessage=Internal Server Error, http.basic.password=mypassword, Date=[Tue, 26 Jun 2007 13:42:21 GMT], http.basic.username=myusername, Content-Type=[text/xml;charset=UTF-8], Server=[Apache-Coyote/1.1], HEADER={SOAPAction="", Content-Type=multipart/related; type="application/xop+xml"; start="<rootpart@ws.jboss.org>";
                                  
                                   start-info="text/xml";
                                  
                                   boundary="----=_Part_0_7896086.1182865340817"}, Transfer-Encoding=[chunked], NoThrowOnError=true, ResponseCode=500}
                                  DEBUG main org.jboss.ws.core.soap.MessageFactoryImpl - createMessage: [contentType=text/xml; charset=UTF-8]
                                  ...
                                  



                                  • 14. Re: MTOM + WS Security = problem
                                    Jean Louis Newbie

                                    Hello!

                                    Thanks for your answers,

                                    "richard_opalka" wrote:
                                    MTOM attachments do not need to be inlined.


                                    I agree, but if mtom is used and it is inlined, I don't see the point of using mtom: we can have the binary parameter inlined like the others. I thought that one of the advantages of mtom was to use xop which describes how to package binary data as an attachment.

                                    @davideling
                                    I have exactly the same config as you, same Jboss version and JbossWS version. I have also a method with a bean which contains a DataHandler (annoted). But no luck, I get always the same exception.
                                    javax.xml.ws.soap.SOAPFaultException: Endpoint {http://foo.org/mtom}ServiceImpl does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData


                                    But this problem doesn't change the main problem: to use mtom + ws security with jbossws. I will take a look to the sources when I got time.

                                    :oD.

                                    1 2 Previous Next