[JBoss Web Services] - Re: Where is jboss-ws-security_1_0.xsd - jboss-user

Monday, 5 December 2011

Alessio Soldano [http://community.jboss.org/people/asoldano] created the discussion

"Re: Where is jboss-ws-security_1_0.xsd"

To view the discussion, visit: http://community.jboss.org/message/639916#639916

--------------------------------------------------------------
Hi Steve,
...
 I have three basic test cases:
 1) request has WS-Security header with a valid username/password
 2) request has WS-Security header with an invalid username/password
 3) request has no WS-Security header.

 I expect the follwing results in these cases:
 1) request is processed, non-error response
 2) request is disallowed ("Invalid User".)
 3) request is disallowed ("This service requires <wsse:Security>, which is
missing").

 However. the above test suite only passes with a file jboss-wsse-server.xml like that in
the sample (note that I have commented out the schema stuff so it won't fail vaidation
in Eclipse).

 > <?xml version="1.0" encoding="UTF-8"?>
 > 
 > <jboss-ws-security> 
 > <!--  xmlns=" http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/config" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance http://www.w3.org/2001/XMLSchema-instance"
 >   xsi:schemaLocation=" http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/config 
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"--...
 > <config> 
 > <requires>
 >       <username/>
 > </requires>
 > </config>
 > 
 > </jboss-ws-security>

 With this config (as implied by your comment):

 > <?xml version="1.0" encoding="UTF-8"?>
 > 
 > <jboss-ws-security> 
 > <!--  xmlns=" http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/config" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance http://www.w3.org/2001/XMLSchema-instance"
 >   xsi:schemaLocation=" http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/config 
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"--...
 > <config> 
 > <!-- <requires> -->
 > <!--       <username/> -->
 > <!-- </requires> -->
 > </config>
 > </jboss-ws-security>
 then the first two test cases pass but the third one does not, that is, requests without
the W2Security header are allowed.  Thus it seems that the <username> element IS
required on the server side to perform security checks correctly. This is likely a
consequence on the check that's in the WSSecurityDispatcher::decodeMessage() method on
the existence of requirements in the current ws-security configuration.
Can you try adding an empty <requires/> element to the server configuration? That
should probably be a valid solution here.
This said, the problem here is not in being sure you get the message regarding no wsse
setup in case 3 above, while instead being sure the invocation does not succeed due to
missing authentication/authorization reasons. How is your endpoint? EJB3 or POJO? There
are some additional  authentication/authorization options (jaas integration) explained at 
http://community.jboss.org/docs/DOC-13538
http://community.jboss.org/wiki/JBossWS-WS-SecurityOptions
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/639916#639916]

Start a new discussion in JBoss Web Services at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&...]

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[JBoss Web Services] - Re: Where is jboss-ws-security_1_0.xsd