[jboss-user] [JBoss Web Services] - Re: Where is jboss-ws-security_1_0.xsd
Alessio Soldano
do-not-reply at jboss.com
Mon Dec 5 16:38:03 EST 2011
Alessio Soldano [http://community.jboss.org/people/asoldano] created the discussion
"Re: Where is jboss-ws-security_1_0.xsd"
To view the discussion, visit: http://community.jboss.org/message/639916#639916
--------------------------------------------------------------
Hi Steve,
> I have three basic test cases:
> 1) request has WS-Security header with a valid username/password
> 2) request has WS-Security header with an invalid username/password
> 3) request has no WS-Security header.
>
> I expect the follwing results in these cases:
> 1) request is processed, non-error response
> 2) request is disallowed ("Invalid User".)
> 3) request is disallowed ("This service requires <wsse:Security>, which is missing").
>
> However. the above test suite only passes with a file jboss-wsse-server.xml like that in the sample (note that I have commented out the schema stuff so it won't fail vaidation in Eclipse).
>
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <jboss-ws-security>
> > <!-- xmlns=" http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/config" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation=" http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->
> > <config>
> > <requires>
> > <username/>
> > </requires>
> > </config>
> >
> > </jboss-ws-security>
>
> With this config (as implied by your comment):
>
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <jboss-ws-security>
> > <!-- xmlns=" http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/config" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation=" http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->
> > <config>
> > <!-- <requires> -->
> > <!-- <username/> -->
> > <!-- </requires> -->
> > </config>
> > </jboss-ws-security>
> then the first two test cases pass but the third one does not, that is, requests without the W2Security header are allowed. Thus it seems that the <username> element IS required on the server side to perform security checks correctly.
This is likely a consequence on the check that's in the WSSecurityDispatcher::decodeMessage() method on the existence of requirements in the current ws-security configuration.
Can you try adding an empty <requires/> element to the server configuration? That should probably be a valid solution here.
This said, the problem here is not in being sure you get the message regarding no wsse setup in case 3 above, while instead being sure the invocation does not succeed due to missing authentication/authorization reasons. How is your endpoint? EJB3 or POJO? There are some additional authentication/authorization options (jaas integration) explained at http://community.jboss.org/docs/DOC-13538 http://community.jboss.org/wiki/JBossWS-WS-SecurityOptions
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/639916#639916]
Start a new discussion in JBoss Web Services at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20111205/9f654406/attachment-0001.html
More information about the jboss-user
mailing list