3 Replies Latest reply on Oct 22, 2008 5:56 PM by Alan Feng

    WS client uses password from WSDL, ignoring client side sett

    Alan Feng Novice

      I am using JBossWS WS-Security. Server side has settings like this:

      jboss-wsse-server.xml

      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.jboss.com/ws-security/config
       http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
       <key-store-file>/etc/security/wsse.keystore</key-store-file>
       <key-store-password>
       {CLASS}org.jboss.security.plugins.FilePassword:/etc/security/wsse-keystore.password
       </key-store-password>
       <trust-store-file>/etc/security/wsse.truststore</trust-store-file>
       <trust-store-password>
       {CLASS}org.jboss.security.plugins.FilePassword:/etc/security/wsse-truststore.password
       </trust-store-password>
       <config>
       <sign type="x509v3" alias="wsse" />
       <encrypt type="x509v3" alias="wsse" />
       <requires>
       <signature />
       <encryption />
       </requires>
       </config>
       <timestamp-verification createdTolerance="300" warnCreated="false" expiresTolerance="300"
       warnExpires="false" />
      </jboss-ws-security>
      


      As you can see, the password is not stored as clear text for enhanced security. It uses FilePassword, which is a utility class provided by JBoss.

      This security setting is published in the service wsdl file and all above settings are visible to the clients:
      Segment of the published wsdl file:
      <wsp:Policy wsu:Id="X509EndpointPolicy">
       <wsp:All>
       <sp:jboss-ws-security>
       <sp:key-store-file>/etc/security/wsse.keystore</sp:key-store-file>
       <sp:key-store-password>
       {CLASS}org.jboss.security.plugins.FilePassword:/etc/security/wsse-keystore.password
       </sp:key-store-password>
       <sp:trust-store-file>/etc/security/wsse.truststore</sp:trust-store-file>
       <sp:trust-store-password>
       {CLASS}org.jboss.security.plugins.FilePassword:/etc/security/wsse-truststore.password
       </sp:trust-store-password>
       <sp:config>
       <sp:sign alias="wsse" type="x509v3"/>
       <sp:encrypt alias="wsse" type="x509v3"/>
       <sp:requires>
       <sp:signature/>
       <sp:encryption/>
       </sp:requires>
       </sp:config>
       <sp:timestamp-verification createdTolerance="300" expiresTolerance="300" warnCreated="false" warnExpires="false"/>
       </sp:jboss-ws-security>
       </wsp:All>
      </wsp:Policy>
      
      


      At the client side, we set the wsse system properties like this:
       System.setProperty("org.jboss.ws.wsse.keyStore", "c:/wsse/wsse.keystore" )
       System.setProperty("org.jboss.ws.wsse.keyStorePassword", "{CLASS}org.jboss.security.plugins.FilePassword:c:/wsse/wsse-keystore.password" )
       System.setProperty("org.jboss.ws.wsse.keyStoreType", "jks" )
       System.setProperty("org.jboss.ws.wsse.trustStore", "c:/wsse/wsse.truststore" )
       System.setProperty("org.jboss.ws.wsse.trustStorePassword", "{CLASS}org.jboss.security.plugins.FilePassword:c:/wsse/wsse-truststore.password" )
       System.setProperty("org.jboss.ws.wsse.trustStoreType", "jks" )
      



      What happened was that the client side system property is partially used. It picked up the store locations, however, it uses the serverside store password settings obtained from the wsdl. In other words, it tries to lookup the password file at /etc/security/wsse-keystore.password and /etc/security/wsse-truststore.password instead of the local c:/wsse folder.


      When I trace into the code, it looks like the class WSSecurityHandler.handleOutboundSecurity() uses the msgContext to create a WSSecurityConfiguration object. This object has the server security settings published in the wsdl. The local settings (from the system property) are not used unless the setting is not set by the server wsdl.

      In my specific case, because the server uses the <key-store-file> and <trust-store-file> tag, it sets the keyStoreFile and trustStoreFile properties of the configuration object, and left the keyStoreUrl and trustStoreUrl properties of the configuration object null. And later on, it tries to use the configuration object's keyStoreUrl and trustStoreUrl properties, which are null, so it thinks it's not set by the server and then looked up the keystore file locations from the local system properties.

      But for the keyStorePassword and trustStorePassword properties of the configuration object, since they are not null (set to the server settings from the wsdl), it completely ignores the local system property settings and use those values from server at the client side. Because the password files are stored in different folders at the client side, it errors out due to FileNotFoundException.

      Part of the above mentioned logics are in the SecurityStore class.


      I think this is a serious bug, as one can not dictates that the client must store the key store files and password files at the same folder as the server. At the client side, it needs to pick up the security settings from the system properties instead of looking them up from the wsdl first.

      If someone from JBoss team can validate what I described, can we open an issue ticket for this?

      Thanks!