1 Reply Latest reply on Dec 5, 2012 1:39 PM by Jeff Bartolotta

    WS-SecurityPolicy AS 7.1.1

    harry12345678 Newbie

      It seems WS-SecurityPolicy does not work with JBoss 7.1.1 Full profile.
      WS client sends the message correctly with security header (see server log below) however server can not understand it.

       

      Do you have an idea what could be the problem? Is it a configuration issue or a bug?

       

       

      Server side said:

      WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http--0.0.0.0-8080-1) Interceptor for {http://org.xy.webservice}ServiceName#{http://org.xy.webservice}read has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.

       

       

      CLIENT SIDE

       

       

      Test client:

      ------------

              URL wsdlURL = new URL("http://IP:PORT/context/ServiceName/ServiceNameWS?wsdl");

              QName qname = new QName("http://org.xy.webservice", "ServiceName");

              Service service = Service.create(wsdlURL, qname);

              ServiceName port = (ServiceName) service.getPort(ServiceName.class);

       

       

              Map<String, Object> ctx = ((BindingProvider)port).getRequestContext();

              ctx.put(SecurityConstants.USERNAME, "USERNAME");

              ctx.put(SecurityConstants.CALLBACK_HANDLER, com.demo.PasswordCallbackHandlerClient.class.getName());

              ctx.put(SecurityConstants.ALWAYS_ENCRYPT_UT, true);

       

       

                XYZ response = port.read("12345");

       

       

       

       

      CallbackHandlerClient:

      ----------------------

      public class PasswordCallbackHandlerClient implements CallbackHandler {

       

       

          @Override

          public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

              for (int i=0; i< callbacks.length; i++) {

                  if (callbacks[i] instanceof WSPasswordCallback) {

                      WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];

                      pc.setPassword("xy");

                  }

              }

          }

       

       

             

      SERVER SIDE

       

       

      MANIFEST.MF:

      ------------

      Manifest-Version: 1.0

      Ant-Version: Apache Ant 1.7.1

      Created-By: 17.0-b16 (Sun Microsystems Inc.)

      Dependencies: org.apache.cxf, com.sun.xml.bind, org.apache.ws.security

       

       

      Service interface on server side:

      -----------------------

      @Local

      @WebService(name="ServiceName", targetNamespace="http://org.xy.webservice")

      public interface ServiceName {

       

      Service implementation on server side:

      -----------------------

      @Stateless

      @WebService(portName = "ServiceNamePort", name = "ServiceNameWS", serviceName = "ServiceName", targetNamespace = "http://org.xy.webservice", endpointInterface = "ServiceName")

      @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = Use.LITERAL)

      @EndpointProperties(value = {

      @EndpointProperty(key = "ws-security.callback-handler ", value = "org.xy.PasswordCallbackHandlerServer"),

      @EndpointProperty(key = "ws-security.validate.token", value = "false")})

      @InInterceptors(interceptors = { "org.apache.cxf.interceptor.LoggingInInterceptor",

              "org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"

      })

      @OutInterceptors(interceptors = "org.apache.cxf.interceptor.LoggingOutInterceptor")

      @Policies({ @Policy(uri = "SecurityPolicy.xml") })

      public class ServiceNameImpl implements ServiceName { 

       

      Method authorization definition is handled by @RolesAllowed(value = { "role1" })

       

       

      jboss-web.xml:

      <?xml version="1.0"?>

      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

      <jboss-web>

                <security-domain>java:/jaas/wssecurity-domain</security-domain>

      </jboss-web>

       

       

       

       

      SecurityPolicy.xml:

      -------------------

      <?xml version="1.0" encoding="UTF-8"?>

      <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"

                xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">

                <wsp:ExactlyOne>

                          <wsp:All>

                                    <sp:SupportingTokens>

                                              <wsp:Policy>

                                                        <sp:UsernameToken

                                                                  sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">

                                                                  <wsp:Policy>

                                                                            <sp:HashPassword />

                                                                  </wsp:Policy>

                                                        </sp:UsernameToken>

                                              </wsp:Policy>

                                    </sp:SupportingTokens>

                          </wsp:All>

                </wsp:ExactlyOne>

      </wsp:Policy>

       

       

      standalone.xml:

      ---------------

                      <security-domain name="wssecurity-domain">

                          <authentication>

                              <login-module code="Database" flag="required">

                                  <module-option name="dsJndiName" value="java:/jboss/datasources/MainDS"/>

                                  <module-option name="principalsQuery" value="..."/>

                                  <module-option name="rolesQuery" value="..."/>

                                  <module-option name="hashAlgorithm" value="SHA"/>

                                  <module-option name="hashEncoding" value="BASE64"/>

                                  <module-option name="hashCharset" value="UTF-8"/>

                                  <module-option name="hashUserPassword" value="false"/>

                                  <module-option name="hashStorePassword" value="true"/>

                                  <module-option name="storeDigestCallback" value="org.jboss.wsf.stack.cxf.security.authentication.callback.UsernameTokenCallback"/>

                                  <module-option name="unauthenticatedIdentity" value="anonymous"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

       

      Log from server side:

       

       

      Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1"><wsse:Username>USERNAME</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">kmmJ3YGRbC+7WH3qfEWy8+n83Sk=</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">7MWXmcGoJ5uMmukJ13cggA==</wsse:Nonce><wsu:Created>2012-10-17T09:38:25.036Z</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns2:read xmlns:ns2="http://org.xy.webservice"><arg0>12345</arg0></ns2:read></soap:Body></soap:Envelope>

      --------------------------------------

      11:38:25,088 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http--0.0.0.0-8080-1) Interceptor for {http://org.xy.webservice}ServiceName#{http://org.xy.webservice}read has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.

                at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6]

                at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6]

                at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6]

                at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) [cxf-api-2.4.6.jar:2.4.6]

                at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-rt-core-2.4.6.jar:2.4.6]

                at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207) [cxf-rt-transports-http-2.4.6.jar:2.4.6]

                at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)

                at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)

                at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)

                at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185) [cxf-rt-transports-http-2.4.6.jar:2.4.6]

                at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108) [cxf-rt-transports-http-2.4.6.jar:2.4.6]

                at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

                at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)

                at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.GA.jar:2.0.3.GA]

                at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]

                at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]

                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]

                at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

                at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

                at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_07]

        • 1. Re: WS-SecurityPolicy AS 7.1.1
          Jeff Bartolotta Newbie

          I was having the same issue and was able to solve it by adding org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor to the list of interceptors. Once I did this, I got an exception that no actions were defined. To fix this I subclassed org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor interceptor and set the WSHandlerConstants.ACTION property in the constructor. I am not using spring, so I could not configure it via jboss-cxf.xml and could not find any documentation for how to configure the interceptor via annotations.

           

          // Interceptor class

          public class LottasoftWSS4JInInterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor {

              public LottasoftWSS4JInInterceptor() {

                  super();

                  getProperties().put(WSHandlerConstants.ACTION, "UsernameToken Timestamp");

              }

          }

           

          I also had to add two EndpointProperties for the password validation

          @EndpointProperties(value = {

                  @EndpointProperty(key = "ws-security.is-bsp-compliant", value = "false"),

                  @EndpointProperty(key = WSHandlerConstants.PW_CALLBACK_CLASS, value = "com.lottasoft.webservice.security.WSSecurityCallbackHandler")