Much obliged for any help I can get on this one. I feel like I must be missing something stupid:
I have an Axis2 (1.5.1) web service being invoked by a WCF (.NET 3.5) client application.
The web service works fine without any authentication/inflow security configuration, but I have been asked to implement authentication using a security header.
I am using this kind of configuration in services.xml:
When the WCF client calls the service, the security header is like this:
Which looks fine to me (what do I know?), but Axis2/Rampart fails to authenticate the request:
org.apache.axis2.engine.AxisEngine receive WSDoAllReceiver: security processing failed
org.apache.axis2.AxisFault: WSDoAllReceiver: security processing failed
at org.apache.rampart.handler.WSDoAllReceiver.processBasic(WSDoAllReceiver.java:214)
at org.apache.rampart.handler.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:86)
at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:72)
at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
...
Caused by: org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized
at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:139)
at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:53)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
at org.apache.rampart.handler.WSDoAllReceiver.processBasic(WSDoAllReceiver.java:211)
... 30 more
I have a log message in my callback handler's static initializer that tells me that the class was loaded, but the handle method is never called.
This is the code I believe maps to my implementation of UsernameTokenProcessor:
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.ws.security/wss4j/1.5.4/org/apache/ws/security/processor/UsernameTokenProcessor.java
There, I found that this exception is coming up here:
But, as you can see above, WSConstants.PASSWORD_TEXT matches what I am getting in the request (it is "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText") so I am at a loss for why this might be happening.
Thanks for any insights you can provide.
Guy.