• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

WebService Security authentication probelm

 
sreedhar sri
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

We have got a webservice with the following security policy from the client.

<wsp:Policy orawsp:provides="{http://docs.oasis-open.org/ns/opencsa/sca/200903}authentication, {http://docs.oasis-open.org/ns/opencsa/sca/200903}clientAuthentication, {http://docs.oasis-open.org/ns/opencsa/sca/200903}clientAuthentication.message, {http://schemas.oracle.com/ws/2006/01/policy}token.usernamePassword" wsu:Id="wss_username_token_service_policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlnsrawsp="http://schemas.oracle.com/ws/2006/01/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>

We generated client classes using the Java JAX-WS tool from the wsdl(used the wsimport command).Afer that used the SecurityHandler class( attached the file) which incorporates the securtiy information in the handleMessage() method.

This is the standalone Test class(contains binding information and calling the webservice method).

public class SellerServiceTest {
public static void main(String args[]) throws Exception{
final Binding binding = ((BindingProvider) port).getBinding();
List<Handler> handlerList = binding.getHandlerChain();
if (handlerList == null)
handlerList = new ArrayList<Handler>();
handlerList.add(new SecurityHandler(userName,passWord));
binding.setHandlerChain(handlerList);

Service service = new Service();
Port port = service.getPort();
SaleResponseType saleResponseType = port.sale(saleRequestType);
}
}

The following class is the SecurityHandler code.

import java.util.Set;

import javax.xml.namespace.QName;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPHeader;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPHandler;
import javax.xml.ws.handler.soap.SOAPMessageContext;

public class SecurityHandler implements SOAPHandler<SOAPMessageContext>{

private String user;
private String password;

public SecurityHandler(String user, String password) {
this.setUser(user);
this.setPassword(password);
}


@Override
public boolean handleMessage(final SOAPMessageContext msgCtx) {

// Indicatodor de direccion del mensaje
final Boolean outInd = (Boolean) msgCtx.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);

// Solo mensajes de seguridad a encabezados outbound
if (outInd.booleanValue()) {
try {
// Envoltorio SOAP
final SOAPEnvelope envelope = msgCtx.getMessage().getSOAPPart().getEnvelope();

// Encabezado SOAP, puede no estar creado
SOAPHeader header = envelope.getHeader();
if (header == null)
header = envelope.addHeader();

//Agrego seguridad wsse
final SOAPElement security = header.addChildElement("Security", "wsse",

"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
final SOAPElement userToken = security.addChildElement("UsernameToken", "wsse");
userToken.addChildElement("Username",
"wsse").addTextNode(getUser());
userToken.addChildElement("Password",
"wsse").addTextNode(getPassword());

} catch (final Exception e) {
e.printStackTrace();
return false;
}
}
return true;
}

@Override
public void close(MessageContext arg0) {
// TODO Auto-generated method stub

}

@Override
public boolean handleFault(SOAPMessageContext arg0) {
// TODO Auto-generated method stub
return false;
}

@Override
public Set<QName> getHeaders() {
// TODO Auto-generated method stub
return null;
}


public String getUser() {
return user;
}


public void setUser(String user) {
this.user = user;
}


public String getPassword() {
return password;
}


public void setPassword(String password) {
this.password = password;
}
}



When i called the web service method from a standlone client class ,security authentication is done and got the webservice response.
But when accessing the webservice from the application deployed from JBoss7.1.0,Security Handler's handleMessage() method is not invoked due to this i am getting the excetion as

org.apache.cxf.ws.policy.PolicyException: No username available
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.policyNotAsserted(UsernameTokenInterceptor.java:398)
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.addUsernameToken(UsernameTokenInterceptor.java:341)
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.addUsernameToken(UsernameTokenInterceptor.java:267)
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:112)
at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:76)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
00:05:21,350 ERROR [stderr] (http--192.168.172.142-8080-1) Caused by: org.apache.cxf.ws.policy.PolicyException: No username available


Please let me know where is the issue?


Thanks in advance,
Sridhar
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does the setUser method ever get called in that scenario? If so, is its parameter correct?
 
sreedhar sri
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes the passed parameters are correct. From standalone java class the service method is invoked and authentication is done.The problem is when calling this webservice method from webapplication (deployed in Jboss Server), the handleMessage() method not invoked in the SecurityHandler.

Please let me know any thing is wrong.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes the passed parameters are correct.

Sorry to be pedantic, but I can't tell from your reply whether you have made sure that the setUser method is called with the correct value for the user? How have you made sure of that?
 
sreedhar sri
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes the setUser method is called with the correct value for the user. I put log message in setter method, it is invoked and setting the correct user value.The constructor is invoked in SecurityHandler class. But handleMessage() is not invoking? What is the problem ?
 
Meghana Reddy
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How are you invoking the setUser() method? meaning, at what point in your flow are you instantiating the handler and invoking the setUser() method?

Because, in a typical scenario, handler will not have any setter methods, the framework is supposed to invoke those specific methods.

Try hard coding the user value and see what happens.

 
sreedhar sri
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Am invoking the SecurityHandler in the following way.

handlerList.add(new SecurityHandler(userName,passWord));

The constructor is invoked and the setter is called at that time and print the setting value in server log.

If i hard coded the username, password instead of in constructor then it is not setting the value. Because the main problem is handleMessage() is not invoked in the SecurityHandler class.

But the same handleMessage() is invoked in standalone java class.

Please let me know any thing is wrong.


Thanks,
Sreedhar.

 
Meghana Reddy
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The only reason I can think of is that the handler is somehow not attached to the Service in the server environment especially because it is working in the standalone mode.

I dont know much about JBoss, but you can check the documentation to see if there's any additional configuration of handlers needed.

Sometime ago, I remember configuring the handlers from the admin page in Websphere. There probably is a similar configuration in JBoss.
 
Rodrigo Tassini
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you've solved this?

I'm having the same problem.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic