1 Reply Latest reply on Aug 20, 2008 12:15 PM by Alessio Soldano

    Metro Specifications  for release 3.0.2

    claudia munevar Newbie

      I used Glassfish (which has Metro embedded) to do a Web Service, which it is consumed by a .Net client. The wsit directives are as follows:

      <wsp:Policy wsu:Id="WsEntidadPolicy">
       <wsp:ExactlyOne>
       <wsp:All>
       <wsaws:UsingAddressing xmlns:wsaws="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"/>
       <sc:KeyStore wspp:visibility="private" alias="pdi" storepass="[pass]" location="[path]"/>
       <sc:TrustStore wspp:visibility="private" storepass="[pass]" type="JKS" location="[path]"/>
       <wsoma:OptimizedMimeSerialization/>
       <sp:SymmetricBinding>
       <wsp:Policy>
       <sp:ProtectionToken>
       <wsp:Policy>
       <sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
       <wsp:Policy>
       <sp:BootstrapPolicy>
       <wsp:Policy>
       <sp:SymmetricBinding>
       <wsp:Policy>
       <sp:ProtectionToken>
       <wsp:Policy>
       <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
       <wsp:Policy>
       <sp:WssX509V3Token10/>
       </wsp:Policy>
       </sp:X509Token>
       </wsp:Policy>
       </sp:ProtectionToken>
       <sp:Layout>
       <wsp:Policy>
       <sp:Lax/>
       </wsp:Policy>
       </sp:Layout>
       <sp:IncludeTimestamp/>
       <sp:OnlySignEntireHeadersAndBody/>
       <sp:AlgorithmSuite>
       <wsp:Policy>
       <sp:Basic256/>
       </wsp:Policy>
       </sp:AlgorithmSuite>
       </wsp:Policy>
       </sp:SymmetricBinding>
       <sp:EndorsingSupportingTokens>
       <wsp:Policy>
       <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
       <wsp:Policy>
       <sp:WssX509V3Token10/>
       </wsp:Policy>
       </sp:X509Token>
       </wsp:Policy>
       </sp:EndorsingSupportingTokens>
       <sp:Wss11>
       <wsp:Policy>
       <sp:MustSupportRefKeyIdentifier/>
       <sp:MustSupportRefIssuerSerial/>
       <sp:MustSupportRefThumbprint/>
       <sp:MustSupportRefEncryptedKey/>
       <sp:RequireSignatureConfirmation/>
       </wsp:Policy>
       </sp:Wss11>
       <sp:EncryptedParts>
       <sp:Body/>
       </sp:EncryptedParts>
       <sp:SignedParts>
       <sp:Body/>
       <sp:Header Name="To" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       <sp:Header Name="Action" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       </sp:SignedParts>
       </wsp:Policy>
       </sp:BootstrapPolicy>
       </wsp:Policy>
       </sp:SecureConversationToken>
       </wsp:Policy>
       </sp:ProtectionToken>
       <sp:Layout>
       <wsp:Policy>
       <sp:Strict/>
       </wsp:Policy>
       </sp:Layout>
       <sp:AlgorithmSuite>
       <wsp:Policy>
       <sp:Basic256/>
       </wsp:Policy>
       </sp:AlgorithmSuite>
       <sp:IncludeTimestamp/>
       <sp:OnlySignEntireHeadersAndBody/>
       </wsp:Policy>
       </sp:SymmetricBinding>
       <sp:Wss11>
       <wsp:Policy>
       <sp:MustSupportRefKeyIdentifier/>
       <sp:MustSupportRefIssuerSerial/>
       <sp:MustSupportRefThumbprint/>
       <sp:MustSupportRefEncryptedKey/>
       </wsp:Policy>
       </sp:Wss11>
       <sp:Trust10>
       <wsp:Policy>
       <sp:RequireClientEntropy/>
       <sp:RequireServerEntropy/>
       <sp:MustSupportIssuedTokens/>
       </wsp:Policy>
       </sp:Trust10>
      
       </wsp:All>
       </wsp:ExactlyOne>
       </wsp:Policy>
       <wsp:Policy wsu:Id="WsEntidad_Consultar_Input_Policy">
       <wsp:ExactlyOne>
       <wsp:All>
       <sp:EncryptedParts>
       <sp:Body/>
       </sp:EncryptedParts>
       <sp:SignedParts>
       <sp:Body/>
       <sp:Header Name="Action" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       <sp:Header Name="RelatesTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       <sp:Header Name="To" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       </sp:SignedParts>
       </wsp:All>
       </wsp:ExactlyOne>
       </wsp:Policy>
       <wsp:Policy wsu:Id="WsEntidad_Consultar_Output_Policy">
       <wsp:ExactlyOne>
       <wsp:All>
       <sp:EncryptedParts>
       <sp:Body/>
       </sp:EncryptedParts>
       <sp:SignedParts>
       <sp:Body/>
       <sp:Header Name="Action" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       <sp:Header Name="RelatesTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       <sp:Header Name="To" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       </sp:SignedParts>
       </wsp:All>
       </wsp:ExactlyOne>
       </wsp:Policy>
       <wsp:Policy wsu:Id="WsEntidad_ConsultarResultado_Input_Policy">
       <wsp:ExactlyOne>
       <wsp:All>
       <sp:EncryptedParts>
       <sp:Body/>
       </sp:EncryptedParts>
       <sp:SignedParts>
       <sp:Body/>
       <sp:Header Name="Action" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       <sp:Header Name="RelatesTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       <sp:Header Name="To" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
       </sp:SignedParts>
       </wsp:All>
       </wsp:ExactlyOne>
       </wsp:Policy>
       </wsp:Policy>

      In short, the service was secured with the following policies: endorse certificates, basic256 algoritm, enable secured conversation, signature confirmation required, not using derived keys, not encrypt the signature, enable MTOM, addressing version http://schemas.xmlsoap.org/ws/2004/08/addressing/policy, so on.

      On glassfish v2.0, this configuration works fine and the service can be consumed by the .NET client, but, when publishing the same policies on Jbossws-metro, it fails; It looks like the headers sent by jbossws-metro when stablishing the client authenticity, are not correct. In the log trace on Jboss, everyting seems to be Ok:
      Context token wsuId to uuid-f9b47fa3-27ea-49e3-9107-cc165bf5c33f.
      2008-08-15 17:15:32,718 DEBUG [com.sun.xml.ws.security.secconv] WSSC1010:Creating session for : urn:uuid:e03771f2-506c-4ef5-b356-415f7fe10903.
      2008-08-15 17:15:32,718 DEBUG [com.sun.xml.ws.security.secconv] WSSC0014:Generated RSTR Response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <RequestSecurityTokenResponse xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:ns4="http://www.w3.org/2005/08/addressing" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns5="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:ns6="http://schemas.xmlsoap.org/ws/2004/09/policy">
       <TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</TokenType>
       <RequestedSecurityToken>
       <ns5:SecurityContextToken ns2:Id="uuid-f9b47fa3-27ea-49e3-9107-cc165bf5c33f">
       <ns5:Identifier>urn:uuid:e03771f2-506c-4ef5-b356-415f7fe10903</ns5:Identifier>
       </ns5:SecurityContextToken>
       </RequestedSecurityToken>
       <RequestedAttachedReference>
       <ns3:SecurityTokenReference>
       <ns3:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-f9b47fa3-27ea-49e3-9107-cc165bf5c33f"/>
       </ns3:SecurityTokenReference>
       </RequestedAttachedReference>
       <RequestedUnattachedReference>
       <ns3:SecurityTokenReference>
       <ns3:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="urn:uuid:e03771f2-506c-4ef5-b356-415f7fe10903"/>
       </ns3:SecurityTokenReference>
       </RequestedUnattachedReference>
       <RequestedProofToken>
       <ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</ComputedKey>
       </RequestedProofToken>
       <Entropy ns7:Type="BinarySecret" xmlns:ns7="http://schemas.xmlsoap.org/ws/2005/02/trust">
       <BinarySecret Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">OXT1LqXMWdIMBoCY+BIu+Ze1fZI6mYh3kFVjqMuIASM=</BinarySecret>
       </Entropy>
       <Lifetime>
       <ns2:Created>2008-08-15T22:15:32.032Z</ns2:Created>
       <ns2:Expires>2008-08-16T08:15:32.032Z</ns2:Expires>
       </Lifetime>
      </RequestSecurityTokenResponse>
      

      But on .NET console, it throws the following error:
      Microsoft.Web.Services3.Security.SecurityFault: WSE2005: Protection requirements in MutualCertificate11Assertion are not satisfied. at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientInputFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security security, MessageProtectionRequirements response) at Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security security) at
      ...

      I wanted to know what's the difference or adds made on Metro included on Jbossws-metro respect to glassfish v2.0.

      I tested with the following :
      Jdk 1.5*, jdk 1.6.*, JCE for each version.
      Jboss 4.2.2.GA

      And every test, it threw the same trace code in both server and client sides, as described above.

      I'll appreciate any help you can give me.

      Thanks.

        • 1. Re: Metro Specifications  for release 3.0.2
          Alessio Soldano Master

          Did you try capturing the exchanged messages and comparing the header you suspect being different?
          The JBossWS-Metro integration currently is supposed to adds/changes nothing to what Metro provides and does in terms of WS-Security processing.
          Are the keystore/trustore correctly found on jboss? (ie. no errors about that on the logs)
          We might need to set up a simple example using a policy like yours to see what happens.