]
Darran Lofthouse commented on JBWS-2833:
----------------------------------------
I am sorry but I do not understand the 'bug' being reported here.
If I am reading this correctly this is saying that a configuration with the following
handler needs to be used in order for the authentication to occur: -
org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer
That is the expected behaviour and adding this handler is this step in the instructions:
-
"These instructions assume WS-Security has already been enabled, these instructions
describe the additional configuration required to enable authentication and authorization
for POJO endpoints"
WebServiceContext#getUserPrincipal() returns null when a service is
protected by "Standard WSSecurity Endpoint"
---------------------------------------------------------------------------------------------------------------
Key: JBWS-2833
URL:
https://jira.jboss.org/jira/browse/JBWS-2833
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: ws-security
Affects Versions: jbossws-native-3.1.2
Environment: jboss-5.1.0.GA (i.e. JBoss Web Services version 3.1.2.GA)
java 1.6
Reporter: Morten Andersen
Assignee: Darran Lofthouse
Attachments: client.zip, server.zip, wstest.war
When exposing a webservice using the "@WebServiceProvider" annotation, and
protecting it with WSSE username token the WebServiceContext#userPrincipal is not set.
The WEB-INF/jboss-wsse-server.xml is configured as described here:
http://www.jboss.org/community/wiki/JBossWS-WS-Securityoptions#POJO_Endpo...
Although this does not really seem to be enough, as it is also required to have
META-INF/standard-jaxws-endpoint-config.xml file with only the "Standard WSSecurity
Endpoint" on the server to actually enforce the authentication of the username
token.
Attached:
* wstest.war: example war - exposing one webservice (compiled from the content of
server.zip)
* server.zip: source for the wstest.war
* client.zip: simple client for the server, sending a username token.
Reproducing the problem:
1) deploy wstest.war to a jboss 5.1.0
2) open the run.sh in the client.zip, and set the JBOSS_5 to fit your installation. It
the server is not listening on 8080, modify the url in the client source
(WsExampleClient.java).
3) compile and run the client, by running ./run.sh
4) inspect the server log. If this says: "[INFO] Principal = null" we have the
problem (expected principal = admin)
Server code:
* service: server.zip:src/main/java/org/example/WsExample.java
* wsdl: server.zip:src/main/webapp/WEB-INF/wsdl
* wsse-config: server.zip:src/main/webapp/WEB-INF/jboss-wsse-server.xml
* wsse-config2: server.zip:src/main/webapp/META-INF/standard-jaxws-endpoint-config.xml
It seems that "wsse-config2" is required. If this is not present, it is
possible for the client to send any client credentials it want (or leave them out) and it
will still get admission to the service.
Other areas where this has been discussed:
*
http://www.jboss.org/index.html?module=bb&op=viewtopic&t=127582&a...
*
http://www.jboss.org/community/wiki/jbosssecuritytokenservice#comment-2075 (in
relation to the same problem in the JBoss STS)
Should be assigned to Darran Lofthouse.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: