[jbossws-issues] [JBoss JIRA] Created: (JBWS-2833) WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint"

Morten Andersen (JIRA) jira-events at lists.jboss.org
Tue Nov 17 05:35:29 EST 2009 

WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint"
---------------------------------------------------------------------------------------------------------------

                 Key: JBWS-2833
                 URL: https://jira.jboss.org/jira/browse/JBWS-2833
             Project: JBoss Web Services
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: ws-security
    Affects Versions:  jbossws-native-3.1.2
         Environment: jboss-5.1.0.GA (i.e. JBoss Web Services version 3.1.2.GA)
java 1.6

            Reporter: Morten Andersen


When exposing a webservice using the "@WebServiceProvider" annotation, and protecting it with WSSE username token the WebServiceContext#userPrincipal is not set.

The WEB-INF/jboss-wsse-server.xml is configured as described here:
	http://www.jboss.org/community/wiki/JBossWS-WS-Securityoptions#POJO_Endpoint__Authentication_and_Authorization

Although this does not really seem to be enough, as it is also required to have META-INF/standard-jaxws-endpoint-config.xml file with only the "Standard WSSecurity Endpoint" on the server to actually enforce the authentication of the username token.

Attached:
	* wstest.war: example war - exposing one webservice (compiled from the content of server.zip)
	* server.zip: source for the wstest.war
	* client.zip: simple client for the server, sending a username token.

Reproducing the problem:
	1) deploy wstest.war to a jboss 5.1.0
	2) open the run.sh in the client.zip, and set the JBOSS_5 to fit your installation. It the server is not listening on 8080, modify the url in the client source (WsExampleClient.java).
	3) compile and run the client, by running ./run.sh
	4) inspect the server log. If this says: "[INFO] Principal = null" we have the problem (expected principal = admin)

Server code:
	* service: server.zip:src/main/java/org/example/WsExample.java
	* wsdl: server.zip:src/main/webapp/WEB-INF/wsdl
	* wsse-config: server.zip:src/main/webapp/WEB-INF/jboss-wsse-server.xml
	* wsse-config2: server.zip:src/main/webapp/META-INF/standard-jaxws-endpoint-config.xml

It seems that "wsse-config2" is required. If this is not present, it is possible for the client to send any client credentials it want (or leave them out) and it will still get admission to the service.

Other areas where this has been discussed:
 * http://www.jboss.org/index.html?module=bb&op=viewtopic&t=127582&postdays=0&postorder=asc&start=20
 * http://www.jboss.org/community/wiki/jbosssecuritytokenservice#comment-2075 (in relation to the same problem in the JBoss STS)


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list