5:35 a.m.
I am using JBossWS WS-Security. Server side has settings like this:
jboss-wsse-server.xml
| <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation="http://www.jboss.com/ws-security/config
| http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
| <key-store-file>/etc/security/wsse.keystore</key-store-file>
| <key-store-password>
|
{CLASS}org.jboss.security.plugins.FilePassword:/etc/security/wsse-keystore.password
| </key-store-password>
| <trust-store-file>/etc/security/wsse.truststore</trust-store-file>
| <trust-store-password>
|
{CLASS}org.jboss.security.plugins.FilePassword:/etc/security/wsse-truststore.password
| </trust-store-password>
| <config>
| <sign type="x509v3" alias="wsse" />
| <encrypt type="x509v3" alias="wsse" />
| <requires>
| <signature />
| <encryption />
| </requires>
| </config>
| <timestamp-verification createdTolerance="300"
warnCreated="false" expiresTolerance="300"
| warnExpires="false" />
| </jboss-ws-security>
|
As you can see, the password is not stored as clear text for enhanced security. It uses
FilePassword, which is a utility class provided by JBoss.
This security setting is published in the service wsdl file and all above settings are
visible to the clients:
Segment of the published wsdl file:
| <wsp:Policy wsu:Id="X509EndpointPolicy">
| <wsp:All>
| <sp:jboss-ws-security>
| <sp:key-store-file>/etc/security/wsse.keystore</sp:key-store-file>
| <sp:key-store-password>
|
{CLASS}org.jboss.security.plugins.FilePassword:/etc/security/wsse-keystore.password
| </sp:key-store-password>
|
<sp:trust-store-file>/etc/security/wsse.truststore</sp:trust-store-file>
| <sp:trust-store-password>
|
{CLASS}org.jboss.security.plugins.FilePassword:/etc/security/wsse-truststore.password
| </sp:trust-store-password>
| <sp:config>
| <sp:sign alias="wsse" type="x509v3"/>
| <sp:encrypt alias="wsse" type="x509v3"/>
| <sp:requires>
| <sp:signature/>
| <sp:encryption/>
| </sp:requires>
| </sp:config>
| <sp:timestamp-verification createdTolerance="300"
expiresTolerance="300" warnCreated="false"
warnExpires="false"/>
| </sp:jboss-ws-security>
| </wsp:All>
| </wsp:Policy>
|
|
At the client side, we set the wsse system properties like this:
| System.setProperty("org.jboss.ws.wsse.keyStore",
"c:/wsse/wsse.keystore" )
| System.setProperty("org.jboss.ws.wsse.keyStorePassword",
"{CLASS}org.jboss.security.plugins.FilePassword:c:/wsse/wsse-keystore.password"
)
| System.setProperty("org.jboss.ws.wsse.keyStoreType", "jks"
)
| System.setProperty("org.jboss.ws.wsse.trustStore",
"c:/wsse/wsse.truststore" )
| System.setProperty("org.jboss.ws.wsse.trustStorePassword",
"{CLASS}org.jboss.security.plugins.FilePassword:c:/wsse/wsse-truststore.password"
)
| System.setProperty("org.jboss.ws.wsse.trustStoreType",
"jks" )
|
What happened was that the client side system property is partially used. It picked up the
store locations, however, it uses the serverside store password settings obtained from the
wsdl. In other words, it tries to lookup the password file at
/etc/security/wsse-keystore.password and /etc/security/wsse-truststore.password instead
of the local c:/wsse folder.
When I trace into the code, it looks like the class
WSSecurityHandler.handleOutboundSecurity() uses the msgContext to create a
WSSecurityConfiguration object. This object has the server security settings published in
the wsdl. The local settings (from the system property) are not used unless the setting is
not set by the server wsdl.
In my specific case, because the server uses the <key-store-file> and
<trust-store-file> tag, it sets the keyStoreFile and trustStoreFile properties of
the configuration object, and left the keyStoreUrl and trustStoreUrl properties of the
configuration object null. And later on, it tries to use the configuration object's
keyStoreUrl and trustStoreUrl properties, which are null, so it thinks it's not set by
the server and then looked up the keystore file locations from the local system
properties.
But for the keyStorePassword and trustStorePassword properties of the configuration
object, since they are not null (set to the server settings from the wsdl), it completely
ignores the local system property settings and use those values from server at the client
side. Because the password files are stored in different folders at the client side, it
errors out due to FileNotFoundException.
Part of the above mentioned logics are in the SecurityStore class.
I think this is a serious bug, as one can not dictates that the client must store the key
store files and password files at the same folder as the server. At the client side, it
needs to pick up the security settings from the system properties instead of looking them
up from the wsdl first.
If someone from JBoss team can validate what I described, can we open an issue ticket for
this?
Thanks!
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4178669#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...