[jboss-user] [JBoss Web Services] - Re: Where is jboss-ws-security_1_0.xsd

Alessio Soldano do-not-reply at jboss.com
Mon Dec 5 16:38:03 EST 2011


Alessio Soldano [http://community.jboss.org/people/asoldano] created the discussion

"Re: Where is jboss-ws-security_1_0.xsd"

To view the discussion, visit: http://community.jboss.org/message/639916#639916

--------------------------------------------------------------
Hi Steve,
> I have three basic test cases:
> 1) request has WS-Security header with a valid username/password
> 2) request has WS-Security header with an invalid username/password
> 3) request has no WS-Security header.
> 
> I expect the follwing results in these cases:
> 1) request is processed, non-error response
> 2) request is disallowed ("Invalid User".)
> 3) request is disallowed ("This service requires <wsse:Security>, which is missing").
> 
> However. the above test suite only passes with a file jboss-wsse-server.xml like that in the sample (note that I have commented out the schema stuff so it won't fail vaidation in Eclipse).
> 
> > <?xml version="1.0" encoding="UTF-8"?>
> > 
> > <jboss-ws-security> 
> > <!--  xmlns=" http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/config" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance http://www.w3.org/2001/XMLSchema-instance"
> >   xsi:schemaLocation=" http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/config  http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->
> > <config> 
> > <requires>
> >       <username/>
> > </requires>
> > </config>
> > 
> > </jboss-ws-security>
> 
> With this config (as implied by your comment):
> 
> > <?xml version="1.0" encoding="UTF-8"?>
> > 
> > <jboss-ws-security> 
> > <!--  xmlns=" http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/config" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance http://www.w3.org/2001/XMLSchema-instance"
> >   xsi:schemaLocation=" http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/config  http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->
> > <config> 
> > <!-- <requires> -->
> > <!--       <username/> -->
> > <!-- </requires> -->
> > </config>
> > </jboss-ws-security>
> then the first two test cases pass but the third one does not, that is, requests without the W2Security header are allowed.  Thus it seems that the <username> element IS required on the server side to perform security checks correctly.
This is likely a consequence on the check that's in the WSSecurityDispatcher::decodeMessage() method on the existence of requirements in the current ws-security configuration.
Can you try adding an empty <requires/> element to the server configuration? That should probably be a valid solution here.
This said, the problem here is not in being sure you get the message regarding no wsse setup in case 3 above, while instead being sure the invocation does not succeed due to missing authentication/authorization reasons. How is your endpoint? EJB3 or POJO? There are some additional  authentication/authorization options (jaas integration) explained at  http://community.jboss.org/docs/DOC-13538 http://community.jboss.org/wiki/JBossWS-WS-SecurityOptions
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/639916#639916]

Start a new discussion in JBoss Web Services at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20111205/9f654406/attachment-0001.html 


More information about the jboss-user mailing list