[jboss-user] [JBossWS] - Re: WSSE UsernameToken without HTTP basic auth?

alessio.soldano@jboss.com do-not-reply at jboss.com
Fri Jan 18 13:29:11 EST 2008


I did a bit of tests and investigation..

"mageshbk at jboss.com" wrote : The Username token sent in the SOAP Message is the one used by the endpoint server/stack to authenticate the user who is performing this request. This is called MessageLevel Security as defined by UsernameToken profile. If you see, Servlet endpoints can be configured with only basic or digest as per the specs of their deployment model. So setting AUTH_TYPE_WSSE is not and will not be applicable to the servlet deployment model unless you write your own customized implementation for it.

mikaeljl, in other words this means you can easily and successfully use the wsse username token profile without basic authentication through EJB3 endpoints.
I did this way:

  | @WebService(
  |       wsdlLocation = "META-INF/wsdl/WsSecurity10.wsdl", 
  |       serviceName = "PingService10",
  |       name = "IPingService",
  |       targetNamespace = "http://InteropBaseAddress/interop",
  |       endpointInterface = "org.jboss.test.ws.interop.nov2007.wsse.IPingService",
  |       portName = "UserNameOverTransport_IPingService")
  | @EndpointConfig(configName = "Standard WSSecurity Endpoint")
  | @Stateless
  | @SecurityDomain("JBossWS")
  | @WebContext(contextRoot="/nov2007/wsseUsernameTokenHTTPS", urlPattern="/endpoint")
  | public class UsernameTokenHTTPSTestService extends TestService implements IPingService {
  | ...
  | }
  | 
please note, no authMethod and transportGuarantee in the @WebContext.

On the client side:

  | ((BindingProvider)port).getRequestContext().put(StubExt.PROPERTY_AUTH_TYPE, StubExt.PROPERTY_AUTH_TYPE_WSSE);
  | ((BindingProvider)port).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");
  | ((BindingProvider)port).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "thefrog");
  | 
This prevents the stack from using the basic auth and set the user/pwd in the context so that they can be put in the Username token. Using the wrong user/pwd couple causes an authentication failure due to a javax.ejb.EJBAccessException.
Of course you need to set client wsse config the right way:

  | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  |   xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
  |   <config>
  |       <username/>
  |       <timestamp ttl="300"/>
  |   </config>
  | </jboss-ws-security>
  | 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4121401#4121401

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4121401



More information about the jboss-user mailing list