8 Replies Latest reply on Jul 15, 2008 12:16 PM by Brett Schmoll

    WS-Security trouble: {http://www.w3.org/2005/08/addressing}A

    Cris Newbie

      Hello all,

      I am trying to use WS-Security and have a client and web service exchange signed messages.
      However, I have run into some trouble -- can't get rid of this error (seen on both server and client consoles):

      ERROR [SOAPFaultHelperJAXWS] SOAP request exception
      javax.xml.ws.addressing.AddressingException: Required element {http://www.w3.org/2005/08/addressing}Action is missing

      at org.jboss.ws.extensions.addressing.soap.SOAPAddressingPropertiesImpl.getRequiredHeaderContent(SOAPAddressingPropertiesImpl.java:71)
      at org.jboss.ws.extensions.addressing.soap.SOAPAddressingPropertiesImpl.readHeaders(SOAPAddressingPropertiesImpl.java:141)
      at org.jboss.ws.extensions.addressing.jaxws.WSAddressingServerHandler.handleInbound(WSAddressingServerHandler.java:82)
      [...]


      My configuration is JBoss 4.0.5 & JBossWS 2.0.0, and the files as described below.

      I. Web service, deployed as SLSB in ear archive:
      |-ejb.jar (contains Endpoint implementation WSTwoServiceBean.java)
      |-META-INF
      |---server.keystore
      |---server.truststore
      |---application.xml
      |---jboss-wsse-server.xml
      |---standard-jaxws-endpoint-config.xml

      Service endpoint implementation: WSTwoServiceBean.java

      //EJB3 annotations
      @javax.ejb.Stateless
      @org.jboss.annotation.ejb.RemoteBinding(jndiBinding = "WebServices/WSTwoServiceBeanInterface")
      @javax.ejb.Remote({com.atb.webservices.wstwo.WSTwoServiceBeanInterface.class})
      
      // WS annotations
      @javax.jws.WebService(endpointInterface = "com.atb.webservices.wstwo.WSTwoRemoteInterface", targetNamespace = "http://localhost:8080/atb")
      @org.jboss.wsf.spi.annotation.WebContext(contextRoot = "/webservices-ws", urlPattern="/services/WSTwo/*")
      @javax.jws.soap.SOAPBinding(style = javax.jws.soap.SOAPBinding.Style.DOCUMENT, use = javax.jws.soap.SOAPBinding.Use.LITERAL, parameterStyle = javax.jws.soap.SOAPBinding.ParameterStyle.WRAPPED)
      @HandlerChain(file="resource://META-INF/standard-jaxws-endpoint-config.xml")
      @EndpointConfig(configName = "Standard WSSecurity Endpoint")
      @SecurityDomain("JBossWS")
      public class WSTwoServiceBean implements WSTwoServiceBeanInterface {
       @WebMethod
       public String hello(String s){
       return "Hello, " + s + "!";
       }
      }
      


      jboss-wsse-server.xml:

      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.jboss.com/ws-security/config
      http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
      <key-store-file>META-INF/server.keystore</key-store-file>
      <key-store-password>server</key-store-password>
      <trust-store-file>META-INF/server.truststore</trust-store-file>
      <trust-store-password>server</trust-store-password>
      <config>
       <sign type="jks" alias="server"/>
       <requires>
       <signature/>
       </requires>
      </config>
      </jboss-ws-security>



      standard-jaxws-endpoint-config.xml:

      <jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
       xsi:schemaLocation="urn:jboss:jaxws-config:2.0 jaxws-config_2_0.xsd">
      
       <endpoint-config>
       <config-name>Standard WSSecurity Endpoint</config-name>
       <post-handler-chains>
       <javaee:handler-chain>
       <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>
       <javaee:handler>
       <javaee:handler-name>WSSecurity Handler</javaee:handler-name>
       <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer</javaee:handler-class>
       </javaee:handler>
       </javaee:handler-chain>
       </post-handler-chains>
       </endpoint-config>
      
      </jaxws-config>
      

      II. Client, standalone application:
      |-TestWS.java
      |-META-INF
      |---jboss-wsse-client.xml
      |---standard-jaxws-client-config.xml
      |---client.keystore
      |---client.truststore

      (Even though, being a standalone client, I suspect placing the files in a folder other than META-INF wouldn't make any difference)

      TestWS.java:

       WSTwoServiceBeanService wstwoService = new WSTwoServiceBeanService();
       WSTwo wstwo = wstwoService.getPort(WSTwo.class);
      
       URL securityURL = null;
       URL securityConfig = null;
       try {
       securityURL = new File("META-INF/jboss-wsse-client.xml").toURL();
       securityConfig = new File("META-INF/standard-jaxws-client-config.xml").toURL();
       } catch (MalformedURLException e) {
       System.out.println(e);
       }
       ((StubExt)wstwo).setSecurityConfig(securityURL.toExternalForm());
       ((StubExt)wstwo).setConfigName("Standard WSSecurity Client", securityConfig.toExternalForm());
      
       String response = wstwo.hello("world");
       System.out.println("Web service answered with: " + response);
      



      jboss-wsse-client.xml:

      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.jboss.com/ws-security/config
      http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
      <key-store-file>d:/workspace/wsclient/META-INF/client.keystore</key-store-file>
      <key-store-password>client</key-store-password>
      <key-store-type>jks</key-store-type>
      <trust-store-file>d:/workspace/wsclient/META-INF/client.truststore</trust-store-file>
      <trust-store-password>client</trust-store-password>
      <trust-store-type>jks</trust-store-type>
      <config>
       <sign type="jks" alias="client"/>
       <requires>
       <signature/>
       </requires>
      </config>
      </jboss-ws-security>



      standard-jaxws-client-config.xml:

      <jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
       xsi:schemaLocation="urn:jboss:jaxws-config:2.0 jaxws-config_2_0.xsd">
      
       <client-config>
       <config-name>Standard WSSecurity Client</config-name>
       <post-handler-chains>
       <javaee:handler-chain>
       <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>
       <javaee:handler>
       <javaee:handler-name>WSSecurityHandlerOutbound</javaee:handler-name>
       <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient</javaee:handler-class>
       </javaee:handler>
       </javaee:handler-chain>
       </post-handler-chains>
       </client-config>
      
      </jaxws-config>
      


      Thank you!

        • 1. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi
          Cris Newbie

          I intercepted the SOAP messages being sent, and it seems that the client signs the message, but the service does not answer in kind.

          When setting up the client and server for message encryption, the same thing occurs -- the client correctly encrypts the outgoing message,
          but then this error appears:

          Endpoint {http://localhost:8080/atb}WSTwoServiceBeanPort does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData


          Does this vaguely mean that the service is not able to properly encrypt its response? Maybe this rings a bell for someone.

          Thank you!

          • 2. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi
            Cris Newbie

            Tried out the same configuration in JBoss 4.2.2 with JBossWS 3.0.2, thinking maybe there was some bug which was fixed in the meantime.

            However, I am getting the same errors, which leads me to think that I must be doing something extremely stupid.
            Doesn't anybody have any clue about this? I appreciate any and every suggestions (even if it's an angry "RTFM" reply :D )

            • 3. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi
              Alessio Soldano Master

              Hi, as a general suggestion, I first of all suggest you to try using some more recent versions of both JBoss AS and JBossWS.
              This said:

              "timeagentess" wrote:

              ERROR [SOAPFaultHelperJAXWS] SOAP request exception
              javax.xml.ws.addressing.AddressingException: Required element {http://www.w3.org/2005/08/addressing}Action is missing

              at org.jboss.ws.extensions.addressing.soap.SOAPAddressingPropertiesImpl.getRequiredHeaderContent(SOAPAddressingPropertiesImpl.java:71)
              at org.jboss.ws.extensions.addressing.soap.SOAPAddressingPropertiesImpl.readHeaders(SOAPAddressingPropertiesImpl.java:141)
              at org.jboss.ws.extensions.addressing.jaxws.WSAddressingServerHandler.handleInbound(WSAddressingServerHandler.java:82)
              [...]

              You get this message because you're using WS-Addressing and the Action header is missing in your SOAP message. This is not related to WS-Security.



              @HandlerChain(file="resource://META-INF/standard-jaxws-endpoint-config.xml")
              @EndpointConfig(configName = "Standard WSSecurity Endpoint")


              Since you're using the standard endpoint configuration, you should try simplifying your configuration a bit (to better track down what's happening), i.e. remove the @HandlerChain annotation and forget about the standard-jaxws-endpoint-config.xml file (you already have the "Standard WSSecurity Endpoint" in the configuration that is automatically loaded by jbossws).


              Regarding this:

              Endpoint {http://localhost:8080/atb}WSTwoServiceBeanPort does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData

              under which conditions you got this? Try looking at the log and verify the security handler on server side is configured (the ws-security conf is selected).

              • 4. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi
                Cris Newbie

                 

                "alessio.soldano@jboss.com" wrote:
                Hi, as a general suggestion, I first of all suggest you to try using some more recent versions of both JBoss AS and JBossWS.

                Hi, thanks for the suggestions! As a matter of fact, I am using JBoss 4.2.2 and JBossWS 3.0.2 now, with the same problems. Some more answers/questions for each of your points below.

                You get this message because you're using WS-Addressing and the Action header is missing in your SOAP message. This is not related to WS-Security.

                Have I inadvertently activated WS-Addressing? (that was most certainly not my intention). I thought for using WS-Addressing one has to have an annotation like this on the web service class: @EndpointConfig(configName = "Standard WSAddressing Endpoint") ?


                Endpoint {http://localhost:8080/atb}WSTwoServiceBeanPort does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData

                under which conditions you got this? Try looking at the log and verify the security handler on server side is configured (the ws-security conf is selected).


                I got this when requesting encryption in both client and service jboss-wsse-****.xml
                I'm not sure if this part of the log is what you referred to, but the security config seems to be null:
                2008-06-30 15:23:36,422 DEBUG [org.jboss.system.ServiceConfigurator] SecurityConf set to [security: null] in jboss.mq.destination:service=Topic,name=testTopic
                2008-06-30 15:23:36,422 DEBUG [org.jboss.mq.server.jmx.Topic.testTopic] Setting securityConf: [security: null]


                On the service endpoint it seems to be ok:
                ServerEndpointMetaData:
                type=JAXWS
                qname={http://wsthree.ws.atb.com/}WSThreeServiceBeanPort
                [...]
                configFile=META-INF/standard-jaxws-endpoint-config.xml
                configName=Standard WSSecurity Endpoint
                authMethod=null
                transportGuarantee=null
                secureWSDLAccess=false
                properties={}


                (I suppose META-INF/standard-jaxws-endpoint-config.xml is taken from the JBossWS.sar deployment, as it is not present in my web service deployment anymore? )

                And a bit lower in the log file the handler seems to be ok as well:
                HandlerMetaDataJAXWS:
                type=POST
                name=WSSecurity Handler
                class=class org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer
                params=[]
                protocols=##SOAP11_HTTP ##SOAP11_HTTP_MTOM
                services=null
                ports=null


                ------------------------------------------------

                Anyway, to sum up what I have now and what does not work:

                Web service:
                @WebService
                @SOAPBinding(style = javax.jws.soap.SOAPBinding.Style.DOCUMENT,
                 use = javax.jws.soap.SOAPBinding.Use.LITERAL,
                 parameterStyle = javax.jws.soap.SOAPBinding.ParameterStyle.WRAPPED)
                @EndpointConfig(configName = "Standard WSSecurity Endpoint")
                public class WSThreeServiceBean implements WSThreeRemoteInterface {
                 @WebMethod
                 public String hello(String input) {
                 return "Hello, " + input + "!";
                 }
                }


                In the META-INF folder there is the keystore, truststore and jboss-wsse-server.xml

                Client:
                [...]
                securityURL = new File("META-INF/jboss-wsse-client.xml").toURL();
                ((StubExt)wsthree).setSecurityConfig(securityURL.toExternalForm());
                ((StubExt)wsthree).setConfigName("Standard WSSecurity Client");
                


                with keystore, truststore and jboss-wsse-client.xml in the META-INF (client is standalone).

                Both service and client request messages to be signed.
                Tracing the SOAP messages, looks like the client sends a properly signed message, which the service receives, then answers without signing the message.
                The client replies with "This service requires <wsse:Security>, which is missing.", which is logical, since the service sent an unsigned message.

                If I comment out ((StubExt)wsthree).setConfigName("Standard WSSecurity Client"); in the client, the request-reply goes "perfectly": the client sends an unsigned message, and the service answers with an unsigned message as well.

                What is not so clear to me is how to make the web service sign the message -- does it need something else besides the @EndpointConfig annotation and jboss-wsse-server.xml?

                Thank you! (And I really apologize if I am asking stupid questions in the wrong direction, I think I've gotten to the point where I can't see the forest because of the trees anymore...)

                • 5. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi
                  Brett Schmoll Newbie

                  Any followup to this?

                  I'm in a similar situation, I've taken a working EJB-backed web service, added a @EndpointConfig and a /META-INF/jboss-wsse-server.xml that should require a plaintext username token. Testing with soapUi shows that no username token is required when I expected it to fail and require the username.


                  Did I miss a step?
                  1) add @EndpointConfig(configName = "Standard WSSecurity Endpoint")
                  2) create jboss-wsse-server.xml with

                   <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:schemaLocation="http://www.jboss.com/ws-security/config
                   http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
                   <config>
                   <timestamp ttl="300"/>
                   <requires/>
                   </config>
                   </jboss-ws-security>
                  


                  Client app should fail since I haven't configured it to send any username token at this point.

                  -Brett

                  • 6. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi
                    Cris Newbie

                    I've been following the posts of helmutdoe and xinhua earlier, and Alessio Soldano seemed to suggest this might be a bug: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=138474
                    (just scroll down to Alessio's reply)

                    No JIRA issues have been created yet, however, so I have no idea. I have certainly not managed to solve this yet :)

                    Regarding your jboss-wsse-server.xml config, I am not sure, but shouldn't you have something like this:

                    <config>
                    [...]
                     <requires>
                     <signature/>
                     </requires>
                    </config>


                    to require a signature, for instance? At any rate, my guess is that the "requires" tag should not be empty. I think your endpoint does not know it is supposed to require a username token.
                    If you manage to make some progress, please do share! :)

                    • 7. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi
                      Brett Schmoll Newbie

                      One step forward....YAY.

                      So in reviewing the server.log file I noticed that despite my adding the @EndpointConfig tag, the "ServerEndpointMetaData:" still showed "configName=Standard Endpoint"

                      This seemed wrong to me :) so after moving the @EndpointConfig to the EJB implementation class, voila I now get, "org.jboss.ws.core.CommonSOAPFaultException: This service requires <wsse:Security>, which is missing."

                      As to the jboss-wsse-server.xml config, it seemed odd to me as well that the "requires" tag was empty but that how it is documented at
                      http://jbws.dyndns.org/mediawiki/index.php?title=WS-Security_options#Username_Token_Authentication

                      As a side note I did at least find the xsd file that documents the config section. It is located in the jbossws-core.jar. Didn't find any documentation on the site that details that so I thought I'd toss it in here for future reference.

                      Also a bug report that alludes to JAAS integration only for SLSB which could be a problem as well
                      http://jira.jboss.org/jira/browse/JBWS-1999


                      Now to get it to actually accept the username token.

                      -Brett

                      • 8. Re: WS-Security trouble: {http://www.w3.org/2005/08/addressi
                        Brett Schmoll Newbie

                        +1 for http://jira.jboss.org/jira/browse/JBWS-2189?page=all

                        Almost got the username token working but the lack of an EncodingType attribute causes it to fail. Any idea on when 3.0.3 will be available?