[jbossws-issues] [JBoss JIRA] Commented: (JBWS-2833) WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint"
Morten Andersen (JIRA)
jira-events at lists.jboss.org
Sat Nov 21 11:58:29 EST 2009
[ https://jira.jboss.org/jira/browse/JBWS-2833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12495937#action_12495937 ]
Morten Andersen commented on JBWS-2833:
---------------------------------------
Hi Darran,
I am sorry if my description was not clear. The issue is that the WebServiceContext#userPrincipal is not set.
I.e. a POJO like this:
@Resource
protected WebServiceContext context;
@Override
public Source invoke(Source request) {
try {
LOG.info("Principal = " + context.getUserPrincipal());
will print: "Principal = null" even if protected by correctly configured WSSE.
The expected behaviour is something like: "Principal = admin" (if using the admin user in the username token).
I hope this makes it clearer?
> WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint"
> ---------------------------------------------------------------------------------------------------------------
>
> Key: JBWS-2833
> URL: https://jira.jboss.org/jira/browse/JBWS-2833
> Project: JBoss Web Services
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: ws-security
> Affects Versions: jbossws-native-3.1.2
> Environment: jboss-5.1.0.GA (i.e. JBoss Web Services version 3.1.2.GA)
> java 1.6
> Reporter: Morten Andersen
> Assignee: Darran Lofthouse
> Attachments: client.zip, server.zip, wstest.war
>
>
> When exposing a webservice using the "@WebServiceProvider" annotation, and protecting it with WSSE username token the WebServiceContext#userPrincipal is not set.
> The WEB-INF/jboss-wsse-server.xml is configured as described here:
> http://www.jboss.org/community/wiki/JBossWS-WS-Securityoptions#POJO_Endpoint__Authentication_and_Authorization
> Although this does not really seem to be enough, as it is also required to have META-INF/standard-jaxws-endpoint-config.xml file with only the "Standard WSSecurity Endpoint" on the server to actually enforce the authentication of the username token.
> Attached:
> * wstest.war: example war - exposing one webservice (compiled from the content of server.zip)
> * server.zip: source for the wstest.war
> * client.zip: simple client for the server, sending a username token.
> Reproducing the problem:
> 1) deploy wstest.war to a jboss 5.1.0
> 2) open the run.sh in the client.zip, and set the JBOSS_5 to fit your installation. It the server is not listening on 8080, modify the url in the client source (WsExampleClient.java).
> 3) compile and run the client, by running ./run.sh
> 4) inspect the server log. If this says: "[INFO] Principal = null" we have the problem (expected principal = admin)
> Server code:
> * service: server.zip:src/main/java/org/example/WsExample.java
> * wsdl: server.zip:src/main/webapp/WEB-INF/wsdl
> * wsse-config: server.zip:src/main/webapp/WEB-INF/jboss-wsse-server.xml
> * wsse-config2: server.zip:src/main/webapp/META-INF/standard-jaxws-endpoint-config.xml
> It seems that "wsse-config2" is required. If this is not present, it is possible for the client to send any client credentials it want (or leave them out) and it will still get admission to the service.
> Other areas where this has been discussed:
> * http://www.jboss.org/index.html?module=bb&op=viewtopic&t=127582&postdays=0&postorder=asc&start=20
> * http://www.jboss.org/community/wiki/jbosssecuritytokenservice#comment-2075 (in relation to the same problem in the JBoss STS)
> Should be assigned to Darran Lofthouse.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbossws-issues
mailing list