5 Replies Latest reply on Dec 5, 2011 5:07 PM by Steve Cohen

    Where is jboss-ws-security_1_0.xsd

    Steve Cohen Newbie

      I create a jboss-wsse-server.xml with this content:

       

      <?xml version="1.0" encoding="UTF-8"?>

       

      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

        xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">

      <config>

      <requires>

            <username/>

      </requires>

      <authorize>

            <unchecked/>

      </authorize>

      </config>

       

      </jboss-ws-security>

       

      In one validator (SlickEdit's) this fails with

          

      http://www.jboss.com/ws-security\schema\jboss-ws-security_1_0.xsd' not found

       

      Indeed that appears to be the case.  That link gets a 404 in a Web Browser.

       

      With Eclipse's validator, the error is different:

       

      cvc-complex-type.2.4.a: Invalid content was found starting with element 'username'. One of '{"http://www.jboss.com/ws-security/config":timestamp, "http://www.jboss.com/ws-security/config":encryption, "http://www.jboss.com/ws-security/config":signature}' is expected. jboss-wsse-server.xml /my-ejb/src/main/resources/META-INF line 7 XML Problem

      Evidently, Eclipse is finding some version of the schema somewhere and looking at it.  Where might that be?  I've looked and can't find it.  And what is the proper address that a jboss-wsse-server.xml should point to?  Where can I go to find out what the legal schema is?  This is for JBoss-AS-5.1.0.GA and the JBossWS native stack.

       

      Thanks.

        • 1. Re: Where is jboss-ws-security_1_0.xsd
          Steve Cohen Newbie

          Well, I found the schema within jbossws-native-core.jar and it's not hard to see that my jboss-ws-security was non-conforming.  However there is a lot of documentation out there that shows such a file.  Evidently, at some point in the past there was a different version of jboss-ws-security_1_0.xsd. 

           

          Solving that (removing the <requires> wrapper around <username/> fixed it, but the question still remains what is the right URL to use in the <schema-location>?

          • 2. Re: Where is jboss-ws-security_1_0.xsd
            Alessio Soldano Master

            OK, sorry for the late reply on the forum, however here are some explanations in order for shading some light on this [1] topic:

            * as of today the jbossws-security xsd is not published only, however it's available in the jbossws native core library

            * the actual issue in your configuration for setting up jbossws-native ws-security w/ username token auth is in the fact the jboss-wsse-server.xml descriptor above should not have the <username/> element at all. That element is a client side configuration element for adding the username token header into the message, which is something the client does. The server will automatically check for existence of that header and try performing authentication. This is the reason why there's no "username" element in the "requiresType" in the schema, which is correct. There was an error in the samples, that I just noticed after years thanks to your thread (I should have checked the sample back when dealing with https://issues.jboss.org/browse/JBWS-2414 which has basically the explanation of your issue)

            * the descriptors in the samples are not validated against jbossws-security xsd; to be honest this is an area for improvement, even if I honestly think we won't spend internal efforts on that given the focus having been moved to JBossWS-CXF for WS-* functionalities. Any contribution here is in any case accepted

            * the http://community.jboss.org/wiki/JBossWS-AdvancedSamples page needs also to be updated; the directions on simply running Ant (default target) was fine at the time of the JBossWS 3.1.x build (perhaps 3.2.x too, I haven't check recently), but it's not for JBWS 3.4.x / 4.0.x. To be honest the whole wiki needs to reviewed together with the website by (or around ;-) ) the time JBossWS 4.0.0 goes final, because with the latest changes in the JBWS 4 major release, most of what there either does not apply anymore or is simply changed.

             

             

            [1] http://community.jboss.org/wiki/JBossWS-AdvancedSamples#comment-8346

            • 3. Re: Where is jboss-ws-security_1_0.xsd
              Steve Cohen Newbie

              Thanks for acknowledging the problems I found, Alessio.  However, my tests reveal that this is not completely correct:

               

              * the actual issue in your configuration for setting up jbossws-native ws-security w/ username token auth is in the fact the jboss-wsse-server.xml descriptor above should not have the <username/> element at all. That element is a client side configuration element for adding the username token header into the message, which is something the client does. The server will automatically check for existence of that header and try performing authentication. This is the reason why there's no "username" element in the "requiresType" in the schema, which is correct.

               

              I have three basic test cases:

              1) request has WS-Security header with a valid username/password

              2) request has WS-Security header with an invalid username/password

              3) request has no WS-Security header.

               

              I expect the follwing results in these cases:

              1) request is processed, non-error response

              2) request is disallowed ("Invalid User".)

              3) request is disallowed ("This service requires <wsse:Security>, which is missing").

               

              However. the above test suite only passes with a file jboss-wsse-server.xml like that in the sample (note that I have commented out the schema stuff so it won't fail vaidation in Eclipse).

               

              <?xml version="1.0" encoding="UTF-8"?>

               

              <jboss-ws-security>

              <!--  xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->

              <config>

              <requires>

                    <username/>

              </requires>

              </config>

               

              </jboss-ws-security>

               

              With this config (as implied by your comment):

               

              <?xml version="1.0" encoding="UTF-8"?>

               

              <jboss-ws-security>

              <!--  xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->

              <config>

              <!-- <requires> -->

              <!--       <username/> -->

              <!-- </requires> -->

              </config>

               

              </jboss-ws-security>

              then the first two test cases pass but the third one does not, that is, requests without the W2Security header are allowed.  Thus it seems that the <username> element IS required on the server side to perform security checks correctly.

              • 4. Re: Where is jboss-ws-security_1_0.xsd
                Alessio Soldano Master

                Hi Steve,

                I have three basic test cases:

                1) request has WS-Security header with a valid username/password

                2) request has WS-Security header with an invalid username/password

                3) request has no WS-Security header.

                 

                I expect the follwing results in these cases:

                1) request is processed, non-error response

                2) request is disallowed ("Invalid User".)

                3) request is disallowed ("This service requires <wsse:Security>, which is missing").

                 

                However. the above test suite only passes with a file jboss-wsse-server.xml like that in the sample (note that I have commented out the schema stuff so it won't fail vaidation in Eclipse).

                 

                <?xml version="1.0" encoding="UTF-8"?>

                 

                <jboss-ws-security>

                <!--  xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                  xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->

                <config>

                <requires>

                      <username/>

                </requires>

                </config>

                 

                </jboss-ws-security>

                 

                With this config (as implied by your comment):

                 

                <?xml version="1.0" encoding="UTF-8"?>

                 

                <jboss-ws-security>

                <!--  xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                  xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->

                <config>

                <!-- <requires> -->

                <!--       <username/> -->

                <!-- </requires> -->

                </config>

                 

                </jboss-ws-security>

                then the first two test cases pass but the third one does not, that is, requests without the W2Security header are allowed.  Thus it seems that the <username> element IS required on the server side to perform security checks correctly.

                This is likely a consequence on the check that's in the WSSecurityDispatcher::decodeMessage() method on the existence of requirements in the current ws-security configuration.

                Can you try adding an empty <requires/> element to the server configuration? That should probably be a valid solution here.

                This said, the problem here is not in being sure you get the message regarding no wsse setup in case 3 above, while instead being sure the invocation does not succeed due to missing authentication/authorization reasons. How is your endpoint? EJB3 or POJO? There are some additional  authentication/authorization options (jaas integration) explained at http://community.jboss.org/wiki/JBossWS-WS-SecurityOptions

                • 5. Re: Where is jboss-ws-security_1_0.xsd
                  Steve Cohen Newbie

                  Yes, with the empty <requires/> element all three test cases pass.  And yes, I wasn't meaning to imply that I expected to get these exact error messages (although I do get these exact messages) but merely that the request would fail with some message indicating the cause of failure.  That is, invlalid username/password should produce a different fault than missing header.  And it does, so all is well with this configuration.

                   

                  This is with EJB3 endpoints.