[jbossws-issues] [JBoss JIRA] (JBWS-2833) WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint"
Alessio Soldano (JIRA)
jira-events at lists.jboss.org
Tue Mar 20 11:27:50 EDT 2012
[ https://issues.jboss.org/browse/JBWS-2833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alessio Soldano updated JBWS-2833:
----------------------------------
Fix Version/s: community contributions
Forum Reference: http://community.jboss.org/wiki/jbosssecuritytokenservice (was: http://community.jboss.org/wiki/jbosssecuritytokenservice)
> WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint"
> ---------------------------------------------------------------------------------------------------------------
>
> Key: JBWS-2833
> URL: https://issues.jboss.org/browse/JBWS-2833
> Project: JBoss Web Services
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: ws-security
> Affects Versions: jbossws-native-3.1.2
> Environment: jboss-5.1.0.GA (i.e. JBoss Web Services version 3.1.2.GA)
> java 1.6
> Reporter: Morten Andersen
> Fix For: community contributions
>
> Attachments: client.zip, server.zip, wstest.war
>
>
> When exposing a webservice using the "@WebServiceProvider" annotation, and protecting it with WSSE username token the WebServiceContext#userPrincipal is not set.
> The WEB-INF/jboss-wsse-server.xml is configured as described here:
> http://www.jboss.org/community/wiki/JBossWS-WS-Securityoptions#POJO_Endpoint__Authentication_and_Authorization
> Although this does not really seem to be enough, as it is also required to have META-INF/standard-jaxws-endpoint-config.xml file with only the "Standard WSSecurity Endpoint" on the server to actually enforce the authentication of the username token.
> Attached:
> * wstest.war: example war - exposing one webservice (compiled from the content of server.zip)
> * server.zip: source for the wstest.war
> * client.zip: simple client for the server, sending a username token.
> Reproducing the problem:
> 1) deploy wstest.war to a jboss 5.1.0
> 2) open the run.sh in the client.zip, and set the JBOSS_5 to fit your installation. It the server is not listening on 8080, modify the url in the client source (WsExampleClient.java).
> 3) compile and run the client, by running ./run.sh
> 4) inspect the server log. If this says: "[INFO] Principal = null" we have the problem (expected principal = admin)
> Server code:
> * service: server.zip:src/main/java/org/example/WsExample.java
> * wsdl: server.zip:src/main/webapp/WEB-INF/wsdl
> * wsse-config: server.zip:src/main/webapp/WEB-INF/jboss-wsse-server.xml
> * wsse-config2: server.zip:src/main/webapp/META-INF/standard-jaxws-endpoint-config.xml
> It seems that "wsse-config2" is required. If this is not present, it is possible for the client to send any client credentials it want (or leave them out) and it will still get admission to the service.
> Other areas where this has been discussed:
> * http://www.jboss.org/index.html?module=bb&op=viewtopic&t=127582&postdays=0&postorder=asc&start=20
> * http://www.jboss.org/community/wiki/jbosssecuritytokenservice#comment-2075 (in relation to the same problem in the JBoss STS)
> Should be assigned to Darran Lofthouse.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbossws-issues
mailing list