[jboss-user] [JBossWS] - Re: Implementing WS-Security Usename Token Profile Authentic

jayblanc54 do-not-reply at jboss.com
Thu May 14 10:14:43 EDT 2009 

Hi, 

I've tested the authentication using Digest Password

1. JBoss AS 5.0.1.GA
2. JBOSS WS native 3.0.5.GA
3. WebService is implemented using an EJB3 Endpoint.
4. Client is generated using standard JAXWS (with maven) but executed using jbossws-native-client
5. JDK 6 (using -Djava.endorsed.dirs=${jboss.home}/lib/endorsed during client execution)
6. Username Token is configured to produce a PasswordDigest and not a clear password.

Everything works fine using the jboss-native-client 

2 problems appears also :

1. If I'm using SOAPUI to generate a SOAP call, in the server side, password does not match. (If I'm using a configuration with no digest, the SOAPUI call works fine). I assume there is a difference between the SOAPUI generated Digest and the JBoss generated Digest but what is this difference ?

2. The way to put UserName and Password on the client side is : 

 
  | AuthenticationService_Service service = new AuthenticationService_Service();
  | AuthenticationService port = service.getAuthenticationService();
  | 
  | ((StubExt) port).setConfigName("Standard WSSecurity Client");
  | 
  | Map<String, Object> reqContext = ((BindingProvider)port).getRequestContext();
  | reqContext.put(BindingProvider.USERNAME_PROPERTY, "kermit");
  | reqContext.put(BindingProvider.PASSWORD_PROPERTY, "thefrog");
  | 
  | String connectedUser = port.getConnectedUserIdentifier();
  | logger.info("Connected user : " + connectedUser);
  | assertTrue(connectedUser.equals("kermit"));
  | 

Then the WSSecurityHandlerClient take this HTTP header information to generate the correct wsse SAOP header assertion, calculating a password digest of the clear password provided. The problem is that the HTTP header information is not removed and is visible clearely in the HTTP header... So the password is well encoded using a digest in the SOAP header but not in the HTTP header. Is it an issue or is there any other way to give Username/Password information to the WSSecurityHandlerClient ?

3. Is there is some code sample that show how to use SAML instead of Usernam/Token ?

If you capture trames using Wireshar

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4231089#4231089

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4231089

More information about the jboss-user mailing list