[jboss-jira] [JBoss JIRA] (AS7-5827) WS-SecurityPolicy AS 7.1.1

Harry Callahan created AS7-5827: ----------------------------------- Summary: WS-SecurityPolicy AS 7.1.1 Key: AS7-5827 URL: https://issues.jboss.org/browse/AS7-5827 Project: Application Server 7 Issue Type: Bug Components: Web Services Affects Versions: 7.1.1.Final Environment: JBoss AS 7.1.1 Reporter: Harry Callahan Assignee: Alessio Soldano Priority: Critical Fix For: Open To Community It seems WS-SecurityPolicy does not work with JBoss 7.1.1 Full profile. WS client sends the message correctly with security header (see server log below) however server can not understand it. Do you have an idea what could be the problem? Is it a configuration issue or a bug? Server side said: WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http--0.0.0.0-8080-1) Interceptor for {http://org.xy.webservice}ServiceName#{http://org.xy.webservice}read has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood. CLIENT SIDE Test client: ------------ URL wsdlURL = new URL("http://IP:PORT/context/ServiceName/ServiceNameWS?wsdl"); QName qname = new QName("http://org.xy.webservice", "ServiceName"); Service service = Service.create(wsdlURL, qname); ServiceName port = (ServiceName) service.getPort(ServiceName.class); Map<String, Object> ctx = ((BindingProvider)port).getRequestContext(); ctx.put(SecurityConstants.USERNAME, "USERNAME"); ctx.put(SecurityConstants.CALLBACK_HANDLER, com.demo.PasswordCallbackHandlerClient.class.getName()); ctx.put(SecurityConstants.ALWAYS_ENCRYPT_UT, true); XYZ response = port.read("12345"); CallbackHandlerClient: ---------------------- public class PasswordCallbackHandlerClient implements CallbackHandler { @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i=0; i< callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; pc.setPassword("xy"); } } } SERVER SIDE MANIFEST.MF: ------------ Manifest-Version: 1.0 Ant-Version: Apache Ant 1.7.1 Created-By: 17.0-b16 (Sun Microsystems Inc.) Dependencies: org.apache.cxf, com.sun.xml.bind, org.apache.ws.security Service interface on server side: ----------------------- @Local @WebService(name="ServiceName", targetNamespace="http://org.xy.webservice") public interface ServiceName { Service implementation on server side: ----------------------- @Stateless @WebService(portName = "ServiceNamePort", name = "ServiceNameWS", serviceName = "ServiceName", targetNamespace = "http://org.xy.webservice", endpointInterface = "ServiceName") @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = Use.LITERAL) @EndpointProperties(value = { @EndpointProperty(key = "ws-security.callback-handler ", value = "org.xy.PasswordCallbackHandlerServer"), @EndpointProperty(key = "ws-security.validate.token", value = "false")}) @InInterceptors(interceptors = { "org.apache.cxf.interceptor.LoggingInInterceptor", "org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor" }) @OutInterceptors(interceptors = "org.apache.cxf.interceptor.LoggingOutInterceptor") @Policies({ @Policy(uri = "SecurityPolicy.xml") }) public class ServiceNameImpl implements ServiceName { Method authorization definition is handled by @RolesAllowed(value = { "role1" }) jboss-web.xml: <?xml version="1.0"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <security-domain>java:/jaas/wssecurity-domain</security-domain> </jboss-web> SecurityPolicy.xml: ------------------- <?xml version="1.0" encoding="UTF-8"?> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/... <wsp:Policy> <sp:HashPassword /> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> standalone.xml: --------------- <security-domain name="wssecurity-domain"> <authentication> <login-module code="Database" flag="required"> <module-option name="dsJndiName" value="java:/jboss/datasources/MainDS"/> <module-option name="principalsQuery" value="..."/> <module-option name="rolesQuery" value="..."/> <module-option name="hashAlgorithm" value="SHA"/> <module-option name="hashEncoding" value="BASE64"/> <module-option name="hashCharset" value="UTF-8"/> <module-option name="hashUserPassword" value="false"/> <module-option name="hashStorePassword" value="true"/> <module-option name="storeDigestCallback" value="org.jboss.wsf.stack.cxf.security.authentication.callback.UsernameTokenCallback"/> <module-option name="unauthenticatedIdentity" value="anonymous"/> </login-module> </authentication> </security-domain> Log from server side: Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><s... soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-... xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... wsu:Id="UsernameToken-1"><wsse:Username>USERNAME</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-userna... EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws... xmlns:ns2="http://org.xy.webservice"><arg0>12345</arg0></ns2:read></soap:Body></soap:Envelope> -------------------------------------- 11:38:25,088 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http--0.0.0.0-8080-1) Interceptor for {http://org.xy.webservice}ServiceName#{http://org.xy.webservice}read has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood. at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6] at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6] at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) [cxf-api-2.4.6.jar:2.4.6] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-rt-core-2.4.6.jar:2.4.6] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207) [cxf-rt-transports-http-2.4.6.jar:2.4.6] at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91) at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169) at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185) [cxf-rt-transports-http-2.4.6.jar:2.4.6] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108) [cxf-rt-transports-http-2.4.6.jar:2.4.6] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135) at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.GA.jar:2.0.3.GA] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:] at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_07] -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira