JBoss Community

Re: Where is jboss-ws-security_1_0.xsd

created by Alessio Soldano in JBoss Web Services - View the full discussion

Hi Steve,

I have three basic test cases:

1) request has WS-Security header with a valid username/password

2) request has WS-Security header with an invalid username/password

3) request has no WS-Security header.

 

I expect the follwing results in these cases:

1) request is processed, non-error response

2) request is disallowed ("Invalid User".)

3) request is disallowed ("This service requires <wsse:Security>, which is missing").

 

However. the above test suite only passes with a file jboss-wsse-server.xml like that in the sample (note that I have commented out the schema stuff so it won't fail vaidation in Eclipse).

 

<?xml version="1.0" encoding="UTF-8"?>

 

<jboss-ws-security>

<!--  xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

  xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->

<config>

<requires>

      <username/>

</requires>

</config>

 

</jboss-ws-security>

 

With this config (as implied by your comment):

 

<?xml version="1.0" encoding="UTF-8"?>

 

<jboss-ws-security>

<!--  xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

  xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->

<config>

<!-- <requires> -->

<!--       <username/> -->

<!-- </requires> -->

</config>

 

</jboss-ws-security>

then the first two test cases pass but the third one does not, that is, requests without the W2Security header are allowed.  Thus it seems that the <username> element IS required on the server side to perform security checks correctly.

This is likely a consequence on the check that's in the WSSecurityDispatcher::decodeMessage() method on the existence of requirements in the current ws-security configuration.

Can you try adding an empty <requires/> element to the server configuration? That should probably be a valid solution here.

This said, the problem here is not in being sure you get the message regarding no wsse setup in case 3 above, while instead being sure the invocation does not succeed due to missing authentication/authorization reasons. How is your endpoint? EJB3 or POJO? There are some additional  authentication/authorization options (jaas integration) explained at http://community.jboss.org/wiki/JBossWS-WS-SecurityOptions

Reply to this message by going to Community

Start a new discussion in JBoss Web Services at Community