[jboss-jira] [JBoss JIRA] (AS7-5827) WS-SecurityPolicy AS 7.1.1
Alessio Soldano (JIRA)
jira-events at lists.jboss.org
Wed Oct 24 11:34:07 EDT 2012
[ https://issues.jboss.org/browse/AS7-5827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alessio Soldano resolved AS7-5827.
----------------------------------
Resolution: Rejected
Hi Harry,
I believe you're having issues here because you're adding the @Policy annotation on the ws endpoint impl, while that references a @WebService annotated service endpoint interface (SEI). In such scenario, Apache CXF relies on @Policy annotations on the SEI, not on the impl class. So you either need to move the annotation to the SEI or avoid using the SEI if you don't really need it.
This said, I believe there's no bug here, hence I'm closing the jira as rejected. I've also added a sample to the jbossws-cxf testsuite covering a scenario like this.
> WS-SecurityPolicy AS 7.1.1
> --------------------------
>
> Key: AS7-5827
> URL: https://issues.jboss.org/browse/AS7-5827
> Project: Application Server 7
> Issue Type: Bug
> Components: Web Services
> Affects Versions: 7.1.1.Final
> Environment: JBoss AS 7.1.1
> Reporter: Harry Callahan
> Assignee: Alessio Soldano
>
> It seems WS-SecurityPolicy does not work with JBoss 7.1.1 Full profile.
> WS client sends the message correctly with security header (see server log below) however server can not understand it.
> Do you have an idea what could be the problem? Is it a configuration issue or a bug?
> Server side said:
> WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http--0.0.0.0-8080-1) Interceptor for {http://org.xy.webservice}ServiceName#{http://org.xy.webservice}read has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.
>
> CLIENT SIDE
> Test client:
> ------------
> URL wsdlURL = new URL("http://IP:PORT/context/ServiceName/ServiceNameWS?wsdl");
> QName qname = new QName("http://org.xy.webservice", "ServiceName");
> Service service = Service.create(wsdlURL, qname);
> ServiceName port = (ServiceName) service.getPort(ServiceName.class);
> Map<String, Object> ctx = ((BindingProvider)port).getRequestContext();
> ctx.put(SecurityConstants.USERNAME, "USERNAME");
> ctx.put(SecurityConstants.CALLBACK_HANDLER, com.demo.PasswordCallbackHandlerClient.class.getName());
> ctx.put(SecurityConstants.ALWAYS_ENCRYPT_UT, true);
> XYZ response = port.read("12345");
> CallbackHandlerClient:
> ----------------------
> public class PasswordCallbackHandlerClient implements CallbackHandler {
> @Override
> public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
> for (int i=0; i< callbacks.length; i++) {
> if (callbacks[i] instanceof WSPasswordCallback) {
> WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
> pc.setPassword("xy");
> }
> }
> }
>
> SERVER SIDE
>
> MANIFEST.MF:
> ------------
> Manifest-Version: 1.0
> Ant-Version: Apache Ant 1.7.1
> Created-By: 17.0-b16 (Sun Microsystems Inc.)
> Dependencies: org.apache.cxf, com.sun.xml.bind, org.apache.ws.security
> Service interface on server side:
> -----------------------
> @Local
> @WebService(name="ServiceName", targetNamespace="http://org.xy.webservice")
> public interface ServiceName {
> Service implementation on server side:
> -----------------------
> @Stateless
> @WebService(portName = "ServiceNamePort", name = "ServiceNameWS", serviceName = "ServiceName", targetNamespace = "http://org.xy.webservice", endpointInterface = "ServiceName")
> @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = Use.LITERAL)
> @EndpointProperties(value = {
> @EndpointProperty(key = "ws-security.callback-handler ", value = "org.xy.PasswordCallbackHandlerServer"),
> @EndpointProperty(key = "ws-security.validate.token", value = "false")})
> @InInterceptors(interceptors = { "org.apache.cxf.interceptor.LoggingInInterceptor",
> "org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"
> })
> @OutInterceptors(interceptors = "org.apache.cxf.interceptor.LoggingOutInterceptor")
> @Policies({ @Policy(uri = "SecurityPolicy.xml") })
> public class ServiceNameImpl implements ServiceName {
> Method authorization definition is handled by @RolesAllowed(value = { "role1" })
>
> jboss-web.xml:
> <?xml version="1.0"?>
> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
> <jboss-web>
> <security-domain>java:/jaas/wssecurity-domain</security-domain>
> </jboss-web>
>
> SecurityPolicy.xml:
> -------------------
> <?xml version="1.0" encoding="UTF-8"?>
> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword />
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> standalone.xml:
> ---------------
> <security-domain name="wssecurity-domain">
> <authentication>
> <login-module code="Database" flag="required">
> <module-option name="dsJndiName" value="java:/jboss/datasources/MainDS"/>
> <module-option name="principalsQuery" value="..."/>
> <module-option name="rolesQuery" value="..."/>
> <module-option name="hashAlgorithm" value="SHA"/>
> <module-option name="hashEncoding" value="BASE64"/>
> <module-option name="hashCharset" value="UTF-8"/>
> <module-option name="hashUserPassword" value="false"/>
> <module-option name="hashStorePassword" value="true"/>
> <module-option name="storeDigestCallback" value="org.jboss.wsf.stack.cxf.security.authentication.callback.UsernameTokenCallback"/>
> <module-option name="unauthenticatedIdentity" value="anonymous"/>
> </login-module>
> </authentication>
> </security-domain>
>
> Log from server side:
>
> Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1"><wsse:Username>USERNAME</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">kmmJ3YGRbC+7WH3qfEWy8+n83Sk=</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">7MWXmcGoJ5uMmukJ13cggA==</wsse:Nonce><wsu:Created>2012-10-17T09:38:25.036Z</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns2:read xmlns:ns2="http://org.xy.webservice"><arg0>12345</arg0></ns2:read></soap:Body></soap:Envelope>
> --------------------------------------
> 11:38:25,088 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http--0.0.0.0-8080-1) Interceptor for {http://org.xy.webservice}ServiceName#{http://org.xy.webservice}read has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.
> at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6]
> at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6]
> at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) [cxf-rt-bindings-soap-2.4.6.jar:2.4.6]
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) [cxf-api-2.4.6.jar:2.4.6]
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-rt-core-2.4.6.jar:2.4.6]
> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207) [cxf-rt-transports-http-2.4.6.jar:2.4.6]
> at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)
> at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)
> at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185) [cxf-rt-transports-http-2.4.6.jar:2.4.6]
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108) [cxf-rt-transports-http-2.4.6.jar:2.4.6]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
> at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.GA.jar:2.0.3.GA]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
> at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
> at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
> at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
> at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_07]
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list