<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
        <table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                <tbody>
                        <tr>
                                <td>
                                        <table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                                                <tbody>
                                                        <tr>
                                                                <td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
                                                                        <h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
                                                                        <!-- To have a header image/logo replace the name below with your img tag -->
                                                                        <!-- Email clients will render the images when the message is read so any image -->
                                                                        <!-- must be made available on a public server, so that all recipients can load the image. -->
                                                                        <a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
                                                                </td>
                                                        </tr>
                                                        <tr>
                                                                <td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Re: Where is jboss-ws-security_1_0.xsd
</h3>
<span style="margin-bottom: 10px;">
created by <a href="http://community.jboss.org/people/stevecoh4">Steve Cohen</a> in <i>JBoss Web Services</i> - <a href="http://community.jboss.org/message/639902#639902">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Thanks for acknowledging the problems I found, Alessio.  However, my tests reveal that this is not completely correct:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><blockquote class="jive-quote"><p>* the actual issue in your configuration for setting up jbossws-native ws-security w/ username token auth is in the fact the jboss-wsse-server.xml descriptor above should not have the <username/> element at all. That element is a client side configuration element for adding the username token header into the message, which is something the client does. The server will automatically check for existence of that header and try performing authentication. This is the reason why there's no "username" element in the "requiresType" in the schema, which is correct.</p></blockquote><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I have three basic test cases:</p><p>1) request has WS-Security header with a valid username/password</p><p>2) request has WS-Security header with an invalid username/password</p><p>3) request has no WS-Security header.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I expect the follwing results in these cases:</p><p>1) request is processed, non-error response</p><p>2) request is disallowed ("Invalid User".)</p><p>3) request is disallowed ("This service requires <wsse:Security>, which is missing").</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>However. the above test suite only passes with a file jboss-wsse-server.xml like that in the sample (note that I have commented out the schema stuff so it won't fail vaidation in Eclipse).</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><blockquote class="jive-quote"><p><?xml version="1.0" encoding="UTF-8"?></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><jboss-ws-security> </p><p><span><!--  xmlns="</span><a class="jive-link-external-small" href="http://www.jboss.com/ws-security/config" target="_blank">http://www.jboss.com/ws-security/config</a><span>" xmlns:xsi="</span><a class="jive-link-external-small" href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a><span>"</span></p><p><span>  xsi:schemaLocation="</span><a class="jive-link-external-small" href="http://www.jboss.com/ws-security/config" target="_blank">http://www.jboss.com/ws-security/config</a><span> </span><a class="jive-link-external-small" href="http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd" target="_blank">http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd</a><span>"--></span></p><p><config> </p><p><requires></p><p>      <username/></p><p></requires></p><p></config></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p></jboss-ws-security></p></blockquote><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>With this config (as implied by your comment:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><blockquote class="jive-quote"><p><?xml version="1.0" encoding="UTF-8"?></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><jboss-ws-security> </p><p><span><!--  xmlns="</span><a class="jive-link-external-small" href="http://www.jboss.com/ws-security/config" target="_blank">http://www.jboss.com/ws-security/config</a><span>" xmlns:xsi="</span><a class="jive-link-external-small" href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a><span>"</span></p><p><span>  xsi:schemaLocation="</span><a class="jive-link-external-small" href="http://www.jboss.com/ws-security/config" target="_blank">http://www.jboss.com/ws-security/config</a><span> </span><a class="jive-link-external-small" href="http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd" target="_blank">http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd</a><span>"--></span></p><p><config> </p><p><!-- <requires> --></p><p><!--       <username/> --></p><p><!-- </requires> --></p></config><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p></jboss-ws-security></p></blockquote><p>then the first two test cases pass but the third one does not, that is, requests without the W2Security header are allowed.  Thus it seems that the <username> element IS required on the server side to perform security checks correctly.</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="http://community.jboss.org/message/639902#639902">going to Community</a></p>
        <p style="margin: 0;">Start a new discussion in JBoss Web Services at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>