[jbossws-issues] [JBoss JIRA] Commented: (JBWS-2833) WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint"

WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint" --------------------------------------------------------------------------------------------------------------- Key: JBWS-2833 URL: https://jira.jboss.org/jira/browse/JBWS-2833 Project: JBoss Web Services Issue Type: Bug Security Level: Public(Everyone can see) Components: ws-security Affects Versions: jbossws-native-3.1.2 Environment: jboss-5.1.0.GA (i.e. JBoss Web Services version 3.1.2.GA) java 1.6 Reporter: Morten Andersen Assignee: Darran Lofthouse Attachments: client.zip, server.zip, wstest.war When exposing a webservice using the "@WebServiceProvider" annotation, and protecting it with WSSE username token the WebServiceContext#userPrincipal is not set. The WEB-INF/jboss-wsse-server.xml is configured as described here: http://www.jboss.org/community/wiki/JBossWS-WS-Securityoptions#POJO_Endpo... Although this does not really seem to be enough, as it is also required to have META-INF/standard-jaxws-endpoint-config.xml file with only the "Standard WSSecurity Endpoint" on the server to actually enforce the authentication of the username token. Attached: * wstest.war: example war - exposing one webservice (compiled from the content of server.zip) * server.zip: source for the wstest.war * client.zip: simple client for the server, sending a username token. Reproducing the problem: 1) deploy wstest.war to a jboss 5.1.0 2) open the run.sh in the client.zip, and set the JBOSS_5 to fit your installation. It the server is not listening on 8080, modify the url in the client source (WsExampleClient.java). 3) compile and run the client, by running ./run.sh 4) inspect the server log. If this says: "[INFO] Principal = null" we have the problem (expected principal = admin) Server code: * service: server.zip:src/main/java/org/example/WsExample.java * wsdl: server.zip:src/main/webapp/WEB-INF/wsdl * wsse-config: server.zip:src/main/webapp/WEB-INF/jboss-wsse-server.xml * wsse-config2: server.zip:src/main/webapp/META-INF/standard-jaxws-endpoint-config.xml It seems that "wsse-config2" is required. If this is not present, it is possible for the client to send any client credentials it want (or leave them out) and it will still get admission to the service. Other areas where this has been discussed: * http://www.jboss.org/index.html?module=bb&op=viewtopic&t=127582&a... * http://www.jboss.org/community/wiki/jbosssecuritytokenservice#comment-2075 (in relation to the same problem in the JBoss STS) Should be assigned to Darran Lofthouse.