1 Reply Latest reply on May 25, 2011 5:23 AM by Alessio Soldano

    Authenticate UsernameToken via JAAS-SecurityDomain

    Lars Knemeyer Newbie

      Hi,

       

      my scenario is the following:

       

      A .NET-Client calling a Java web service via a customBinding with WS-Security (UsernameToken, encrypted, signed, with Timestamp)

      An Ejb-Webservice hosted on a JBoss AS 6 with configured with JBossWS CXF Stack

       

      The service has a SecurityDomain with a UsersRolesLoginModule (which will later be substituted with a LDAP module).

       

      The Username and password included in the UsernameToken need to be checked inside this SecurityDomain.

       

      Here is the service:

       

       

      @Stateless
      @WebService( name = "CoreService", targetNamespace = "http://www.myservice.de", serviceName = "ws", portName = "CoreService" )
      @SOAPBinding( parameterStyle = ParameterStyle.WRAPPED, style = Style.DOCUMENT, use = Use.LITERAL )
      @SecurityDomain( value = "MyRealm" )
      @BindingType( javax.xml.ws.soap.SOAPBinding.SOAP12HTTP_BINDING )
      @WebContext( contextRoot = "/myservice/ws", urlPattern = "/CoreService" )
      public class CoreService { ...
      

       

       

      My first question: Do I need the WebContext-Annotation? The errors are the same with or without it so I can't really tell.

       

      The CXF-config looks like this:

       

       

       

      <?xml version="1.0" encoding="UTF-8"?>
      <beans
        xmlns='http://www.springframework.org/schema/beans'
        xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
        xmlns:beans='http://www.springframework.org/schema/beans'
        xmlns:jaxws='http://cxf.apache.org/jaxws'
        xmlns:util='http://www.springframework.org/schema/util'
        xsi:schemaLocation='http://cxf.apache.org/core
          http://cxf.apache.org/schemas/core.xsd
          http://www.springframework.org/schema/util
          http://www.springframework.org/schema/util/spring-util-2.0.xsd
          http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
          http://cxf.apache.org/jaxws
          http://cxf.apache.org/schemas/jaxws.xsd'>
        
        <bean id="Sign_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
          <constructor-arg>
            <map>
              <entry key="action" value="Signature UsernameToken Encrypt Timestamp"/>
              <entry key="user" value="myservicekey"/>
              <entry key="signaturePropFile" value="META-INF/plc-security.properties"/>
              <entry key="encryptionPropFile" value="META-INF/plc-security.properties"/>
              <entry key="encryptionUser" value="useReqSigCert"/>
              <entry key="signatureKeyIdentifier" value="DirectReference"/>
              <entry key="passwordCallbackClass" value="de.lmis.plc.core.rule.KeystorePasswordCallback"/>
              <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
              <entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
              <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
              <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
            </map>
          </constructor-arg>
        </bean>
        
        <bean id="SecurityContextIn" class="org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor">
          <constructor-arg>
            <map>
              <entry key="action" value="Signature UsernameToken Encrypt Timestamp"/>
              <entry key="signaturePropFile" value="META-INF/plc-security.properties"/>
              <entry key="decryptionPropFile" value="META-INF/plc-security.properties"/>
              <entry key="passwordCallbackClass" value="de.myservice.KeystorePasswordCallback"/>
            </map>
          </constructor-arg>
        </bean>
      
        
        <jaxws:endpoint id='CoreService' address='http://localhost:8080/myservice/ws/CoreService' 
          implementor='de.core.facade.CoreService'>
          <jaxws:properties>
           <beans:entry key="ws-security.ut.no-callbacks" value="true" />
          </jaxws:properties>
          <jaxws:invoker>
            <bean class='org.jboss.wsf.stack.cxf.InvokerEJB3'/>
          </jaxws:invoker>
          <jaxws:inInterceptors>
              <ref bean="SecurityContextIn"/>
      
          </jaxws:inInterceptors>
          <jaxws:outInterceptors>
           <ref bean="Sign_Response"/>
      
          </jaxws:outInterceptors>
        </jaxws:endpoint>
      </beans>
      
      

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

      The outInterceptor-config could not yet be tested, because the inInterceptor is not working.

       

      Following the CXF-Stack User Guide I used the SubjectCreatingInterceptor where it is said that "Authentication and authorization will simply be delegated to the security domain configured for the endpoint." But it is not.

      The UsernameToken is decrypted correctly, but it is not passed to the Securitydomain.

       

      Here is an excerpt from the server-log:

       

      17:11:58,401 DEBUG [org.apache.xml.security.utils.DigesterOutputStream] Pre-digested input:
      17:11:58,401 DEBUG [org.apache.xml.security.utils.DigesterOutputStream] <o:UsernameToken xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="uuid-0c7a4729-8a51-414b-ab05-b0039958f099-23"><o:Username>admin</o:Username><o:Password>password</o:Password></o:UsernameToken>
      17:11:58,401 DEBUG [org.apache.xml.security.signature.Reference] Verification successful for URI "#uuid-0c7a4729-8a51-414b-ab05-b0039958f099-23"
      17:11:58,402 DEBUG [org.apache.xml.security.signature.Manifest] The Reference has Type 
      17:11:58,402 DEBUG [org.apache.ws.security.TIME] Verify: total= 212, prepare-cert= 77, verify= 135
      17:11:58,402 DEBUG [org.apache.xml.security.utils.ElementProxy] setElement("Transform", "null")
      17:11:58,403 DEBUG [org.apache.xml.security.utils.ElementProxy] setElement("Transform", "null")
      17:11:58,404 DEBUG [org.apache.xml.security.utils.ElementProxy] setElement("Transform", "null")
      17:11:58,409 DEBUG [org.apache.ws.security.TIME] processHeader: total 686, prepare 19, handle 667
      17:11:58,430 DEBUG [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor-Time] Receive request: total= 2226 request preparation= 1511 request processing= 706 header, cert verify, timestamp= 9
      
      17:11:58,430 DEBUG [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor] WSS4JInInterceptor: exit handleMessage()
      17:11:58,430 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@4610c772
      17:11:58,439 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Adding interceptor org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor$UltimateReceiverMustUnderstandInterceptor@3efa8cd6 to phase invoke
      17:11:58,452 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Chain org.apache.cxf.phase.PhaseInterceptorChain@3ae7ec25 was modified. Current flow:
      receive [PolicyInInterceptor, EndpointAssociationInterceptor, AttachmentInInterceptor]
      pre-stream [CertConstraintsInterceptor]
      post-stream [StaxInInterceptor]
      read [ReadHeadersInterceptor, SoapActionInInterceptor, StartBodyInterceptor]
      pre-protocol [EnableOneWayDecoupledFaultInterceptor, SubjectCreatingInterceptor, MustUnderstandInterceptor]
      post-protocol [CheckFaultInterceptor, JAXBAttachmentSchemaValidationHack]
      unmarshal [URIMappingInterceptor, DocLiteralInInterceptor, SoapHeaderInterceptor]
      pre-logical [OneWayProcessorInterceptor]
      post-logical [WrapperClassInInterceptor]
      pre-invoke [SwAInInterceptor, HolderInInterceptor, SimpleAuthorizingInterceptor]
      invoke [ServiceInvokerInterceptor, UltimateReceiverMustUnderstandInterceptor]
      post-invoke [OutgoingChainInterceptor]
      
      17:11:58,453 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor@49546e3a
      17:11:58,453 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.jaxb.attachment.JAXBAttachmentSchemaValidationHack@257ef391
      17:11:58,454 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.interceptor.URIMappingInterceptor@7796314d
      17:11:58,455 DEBUG [org.apache.cxf.interceptor.URIMappingInterceptor] Invoking HTTP method POST
      17:11:58,455 DEBUG [org.apache.cxf.interceptor.URIMappingInterceptor] URIMappingInterceptor can only handle HTTP GET, not HTTP POST
      17:11:58,455 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.interceptor.DocLiteralInInterceptor@4588aeca
      17:11:58,569 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor@108b7370
      17:11:58,569 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.interceptor.OneWayProcessorInterceptor@3bd21ad9
      17:11:58,570 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.WrapperClassInInterceptor@5ee0bb3d
      17:11:58,586 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.SwAInInterceptor@1d74f93e
      17:11:58,591 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.HolderInInterceptor@7424d274
      17:11:58,592 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor@794a9ba6
      17:11:58,592 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] Invoking handleMessage on interceptor org.apache.cxf.interceptor.ServiceInvokerInterceptor@5efabb19
      17:11:58,824 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(MyRealm), size=12
      17:11:58,824 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(MyRealm), authInfo=AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
      ControlFlag: Anmeldemodul-Steuerflag: required
      Options:
      name=usersProperties, value=props/users.properties
      name=rolesProperties, value=props/roles.properties
      
      17:11:58,839 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
      17:11:58,840 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: MyRealm
      17:11:58,863 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=vfs:/D:/XXX/java/jboss-6.0.0.Final/server/default/conf/props/users.properties, defaults=null
      17:11:58,866 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, ...]
      17:11:58,869 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=vfs:/D:/XXX/java/jboss-6.0.0.Final/server/default/conf/props/roles.properties, defaults=null
      17:11:58,870 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, ...]
      17:11:58,870 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
      17:11:58,878 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Authenticating as unauthenticatedIdentity=null
      17:11:58,878 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=null
      17:11:58,891 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
       
      
      : Invalid User
      
      17:11:58,899 ERROR [org.jboss.webservices.integration.invocation.InvocationHandlerEJB3] Method invocation failed with exception: Invalid User: 
      
      

      In the beginning you can see the UsernameToken, which is decyrpted just fine.

      Then the Ejb gets invoked and the Loginmodule is loaded it tries to use the unauthenticatedIdentity (which is null, because I did not specify one so no user has unauthenticated access).

      Of course the authentication then fails for username=null.

       

      One thing that bothers me is that the SubjectCreatingInterceptor is invoked in the pre-protocol-phase, long before the Loginmodule is even created.

      Can this be right?

       

      If you need any additional information (code, server-log, config-files, ...) just ask.

       

       

      Many thanks,

       

      Lars