Alan Richardson

Hello all,

In need to encrypt the body of SOAP messages on a service. I'm using Axis2 so therefore I'm working through some of the Rampart examples to try and understand how it can be applied in Axis.

Sample 03 is perhaps the closest to what I want to do, so I'm focusing on that. However I can't seem to get it to work correctly. As I understand it the message sent to the service should have an encrypted body, correct? (the RecipientToken has a X509Token, and <body/> is specified in the encryptedParts element).

The readme/policy files are here: https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-samples/policy/sample03/

The security header is included in the message, the service is invoked and no errors are thrown *but* I'm not seeing an encrypted body in SOAP Monitor and I'm not sure why. Any ideas what might be going on here?

Here is the request message (how I'm seeing it in SOAP Monitor) (I've cut the <CipherValue> short to make it more readable):

<?xml version='1.0' encoding='utf-8'?> <soapenv:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-6296823"> <wsu:Created>2007-09-03T20:45:52.334Z</wsu:Created>c <wsu:Expires>2007-09-03T20:50:52.334Z</wsu:Expires> </wsu:Timestamp> <xenc:EncryptedKey Id="EncKeyId-27234531"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <ds:KeyInfo xmlns :mrgreen: s="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=Sample Service,OU=Rampart,O=Apache,L=Colombo,ST=Western,C=LK</ds:X509IssuerName> <ds:X509SerialNumber>1187603713</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>Wpmo5tj9xw1DbUxPTXxEe4VpjyU6Tw=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-148082">MIICTDCCAbUCBEbJZMQwDQF/DHme LYmA==</wsse:BinarySecurityToken> <ds:Signature xmlns :mrgreen: s="http://www.w3.org/2000/09/xmldsig#" Id="Signature-26545674"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#Id-39600"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds :mrgreen: igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds :mrgreen: igestValue>UhRz20aeCS07rzz1g6ram2VyIcE=</ds :mrgreen: igestValue> </ds:Reference> <ds:Reference URI="#Timestamp-6296823"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds :mrgreen: igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds :mrgreen: igestValue>Er5e4Sn6Suw6/QJbcQF9KtUw8HM=</ds :mrgreen: igestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> OzdpEnBZK17W3eHoAtS5yuDzEqj0DYV+LUKjx0VcLlSZHqT8kgUMG96wIuNKeOiLVrpkyV8azEO0 M67eEUtVEH+AYmn81yOs9ZhXjoWzk1M9SAEYePW6ZXyGUIN1y82imoh/3YmP6eWoSMZKxaCxUx7c fCYijsTVwMdzy7CTn3Q= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-16133818"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-7718724"> <wsse:Reference URI="#CertId-148082" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <xenc:ReferenceList> <xenc :mrgreen: ataReference URI="#EncDataId-39600" /> </xenc:ReferenceList> </wsse:Security> <wsa:To>http://localhost:8085/axis2/services/LPAdminService</wsa:To> <wsa:MessageID>urn:uuid:59356FD889A283F1BF1188852352369</wsa:MessageID> <wsa:Action>userLogin</wsa:Action> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>" wsu:Id="Id-21192393"> <ns2:testFunction xmlns:ns2="http://webservice.example.com/xsd"> <arg0 >username</arg0> <arg1>pas</arg1> </ns2:testFunction> </soapenv:Body> </soapenv:Envelope>


This is how I'm invoking the service:

ServiceClient client = new ServiceClient(); Options options = new Options(); options.setAction("testFunction"); options.setTo(new EndpointReference(endpointURL)); options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, loadPolicy("/WEB-INF/policy.xml")); client.setOptions(options); client.engageModule(new QName("rampart")); client.engageModule(new QName("addressing")); OMElement response = client.sendReceive(getPayload()); // getPayload returns OMElement

[ September 11, 2007: Message edited by: Alan Sunley ]
[ September 11, 2007: Message edited by: Alan Sunley ]

A few questions, if I may:

If I define protected areas in the web.xml, does that mean I have to implement a login-config as well? i.e a FORM login.

Using JAAS in a servlet, like I originally did, is that not considered 'container-based authentication'? (and therefore I'm not able to call isUserInRole()? ).


I'm thinking that my best approach at the moment is to go with my original JAAS servlet and, if the user is authenticated, store the Subject as a session attribute. Then attach a filter to the servlets that access 'protected' areas, which checks the session subject attribute for the required role. (most access to protected resources in my webapp is through servlets, rather than direct url links).

Would that be bad practice though?

I'm using Tomcat 5.5 and have a JAASRealm set in META-INF/context.xml:

<Realm className="org.apache.catalina.realm.JAASRealm" appName="WebLogin" userClassNames="com.devtest.auth.UserPrincipal" roleClassNames="com.devtest.auth.RolePrincipal" useContextClassLoader="false" />

If the JAASRealm is being used I don't understand why isUserInRole() won't work.
[ September 09, 2007: Message edited by: Alan Sunley ]

Thanks Rahul,

Yes, I've defined a protected resource in web.xml. I've experimented with FORM based login and it works, that is isUserInRole() and getUserPrincipal() works as it should.

The thing is, in the web application rather than trying to access a protected resource directly, via a url link, a user first goes to a login page to access the resource - the servlet authenticates the user then forwards to the appropriate url, at least that's how I want it to work (I can access the forwarded page, but trying to access other pages in the protected area fails). With FORM I can't access the login page directly.

Hello all,

I'm attempting to perform a JAAS login via a servlet. I'm not using a FORM based login, but I'm passing the username and password as request parameters. I'm going off examples in the Java Servlet & JSP Cookbook, but here is a code snippet:

WebCallbackHandler webcallback = new WebCallbackHandler(request); LoginContext lc = null; try { lc = new LoginContext( "WebLogin",webcallback ); } catch ( ... ) Subject subject = null; try { lc.login(); subject = lc.getSubject(); } catch(LoginException logEx) { throw new ServletException("Authentication Failed"); }

The authentication works and my custom LoginModule class sets separate User and Role Principals in the Subject, however it doesn't seem to be maintained in the session - when I try to access other pages in the protected resource it won't let me. Calling request.isUserInRole(), getUserPrincipal() returns false and null, respectively.

Is there a session attribute I have to manually set when authentication succeeds, for this to work? Or shouldn't JAAS do that automatically?

Hi folks,

I'm using a proxy to allow an Ajax web application to send SOAP requests to an external server. At the moment I'm using a simple JSP scriptlet to forward the requests but I'm experiencing an odd problem � if I run the web server within the Eclipse IDE ( using a Tomcat runtime) it functions, I can send the request and a response from the external webserver is eventually received back to Ajax web app. However although it works I do receive the following output to the console:

24-Jul-2007 12:38:22 org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet jsp threw exception java.lang.IllegalStateException: getOutputStream() has already been called for this response

Now if I run application in a standalone Tomcat server (not in eclipse ), then I'm hit with the following error:

java.io.IOException: Server returned HTTP response code: 500 for URL: http://webhost:8085/axis2/services/UserService

Yet the web service works fine in the first instance ( in Eclipse ).

I'm honestly stumped, any insight into what I may be doing wrong here would be greatly appreciated.

This is the proxy code I'm using:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <%@ page import="java.net.URLConnection" %> <%@ page import="java.net.URL" %> <%@ page import="java.util.Enumeration" %> <%@ page import="java.util.Hashtable" %> <%@ page import="java.io.BufferedOutputStream" %> <%@ page import="java.io.BufferedInputStream" %> <%@ page import="java.io.BufferedReader" %> <%@ page import="java.io.InputStream" %> <%@ page import="java.io.PrintWriter" %> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title> API Proxy</title> <% String host = �http://webhost:8085/axis2/services/UserService"; URLConnection urlConnection = null; Hashtable headers = new Hashtable(); String soapRequest=""; try { String inputLine; BufferedReader is = request.getReader(); while ((inputLine = is.readLine()) != null) { soapRequest += inputLine; } System.out.println( soapRequest); } catch(Exception Ex) { System.out.println("Exception 1"); Ex.printStackTrace(); response.sendError(503); } try { URL url = new URL(host); urlConnection = url.openConnection(); urlConnection.setDoOutput(true); urlConnection.setDoInput(true); urlConnection.setUseCaches(false); urlConnection.setRequestProperty("content-type", "application/soap+xml"); String header; for(Enumeration enumeration = request.getHeaderNames(); enumeration.hasMoreElements(); headers.put(header, request.getHeader(header))) { header = (String)enumeration.nextElement(); } if(headers != null) { String header1; for(Enumeration enumeration1 = headers.keys(); enumeration1.hasMoreElements(); urlConnection.setRequestProperty(header1, (String)headers.get(header1))) { header1 = (String)enumeration1.nextElement(); } } PrintWriter printwriter = new PrintWriter(urlConnection.getOutputStream()); printwriter.write(soapRequest); printwriter.close(); } catch(Exception Ex) { System.out.println("Exception 2"); Ex.printStackTrace(); response.sendError(503); } String contentType = urlConnection.getContentType(); if(contentType != null) { response.setContentType(contentType); } String contentEncoding = urlConnection.getContentEncoding(); if(contentEncoding == null) { contentEncoding = ""; } Object object = null; BufferedOutputStream bufferedOutputStream = null; System.out.println( " -- " + response.getContentType() ); try { object = new BufferedInputStream(urlConnection.getInputStream()); bufferedOutputStream = new BufferedOutputStream(response.getOutputStream()); int i; while((i = ((InputStream) (object)).read()) >= 0) { response.getOutputStream().write(i); } } catch(Exception Ex) { response.sendError(503); } try { if(object != null) ((InputStream) (object)).close(); if(bufferedOutputStream != null) { bufferedOutputStream.flush(); bufferedOutputStream.close(); } } catch(Exception Ex) { response.sendError(503); } %> </head> <body> </body> </html>
[ April 04, 2008: Message edited by: Alan Sunley ]

I've been experimenting with the RPCServiceClient above and find that I can successfully invoke the service from a java application, but not from within a Tomcat webapp.

It doesn't like that I pass a filled Object array containing the webservice method arguments.

Object[] operationArguments = new Object[] { "userName", "userCode" }; Object[] response = serviceClient.invokeBlocking(opTestService, operationArguments, returnTypes);

However I can pass an empty Object array ( Object[] operationArguments = new Object[] { }; ) without problem. Not particularly useful since I do need to pass arguments.

Are there any know issues invoking a service this way?


Full error trace:

java.lang.NullPointerException at com.ctc.wstx.sw.BaseNsStreamWriter.doWriteDefaultNs(BaseNsStreamWriter.java:528) at com.ctc.wstx.sw.SimpleNsStreamWriter.writeDefaultNamespace(SimpleNsStreamWriter.java:111) at com.ctc.wstx.sw.SimpleNsStreamWriter.writeNamespace(SimpleNsStreamWriter.java:119) at org.apache.axiom.om.impl.MTOMXMLStreamWriter.writeNamespace(MTOMXMLStreamWriter.java:146) at org.apache.axiom.om.impl.util.OMSerializerUtil.serializeStartpart(OMSerializerUtil.java:329) at org.apache.axiom.om.impl.util.OMSerializerUtil.serializeStartpart(OMSerializerUtil.java:171) at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerialize(OMElementImpl.java:804) at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:837) at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerialize(OMElementImpl.java:808) at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:837) at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerialize(OMElementImpl.java:808) at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:837) at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerialize(OMElementImpl.java:808) at org.apache.axiom.soap.impl.llom.SOAPEnvelopeImpl.internalSerialize(SOAPEnvelopeImpl.java:179) at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:837) at org.apache.axiom.om.impl.llom.OMNodeImpl.serializeAndConsume(OMNodeImpl.java:417) at org.apache.axis2.transport.http.SOAPOverHTTPSender$AxisSOAPRequestEntity.handleOMOutput(SOAPOverHTTPSender.java:190) at org.apache.axis2.transport.http.SOAPOverHTTPSender$AxisSOAPRequestEntity.writeRequest(SOAPOverHTTPSender.java:232) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:495) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:541) at org.apache.axis2.transport.http.SOAPOverHTTPSender.send(SOAPOverHTTPSender.java:119) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:335) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:204) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:674) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:237) at org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:202) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:579) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:508) at org.apache.axis2.rpc.client.RPCServiceClient.invokeBlocking(RPCServiceClient.java:95)

I'm attempting to use the following (based on the example 11 provided with Rampart 1.1), with no joy.

RPCServiceClient serviceClient = new RPCServiceClient(); Options options = serviceClient.getOptions(); EndpointReference targetEPR = new EndpointReference(endpointURL); options.setTo(targetEPR); QName operation = new QName(namespace, operationName); // Set the rampart parameters options.setProperty(WSSHandlerConstants.OUTFLOW_SECURITY,getOutflowConfiguration()); options.setProperty("password", userPassword); serviceClient.setOptions(options); //Engage rampart serviceClient.engageModule(new QName("rampart")); Object[] response = serviceClient.invokeBlocking(operation,arguments,returnType);

private static Parameter getOutflowConfiguration() { OutflowConfiguration ofc = new OutflowConfiguration(); ofc.setActionItems("UsernameToken"); ofc.setUser(userName); ofc.setPasswordCallbackClass("com.learnpipe.webservice.authentication.DIIPWCallback"); return ofc.getProperty(); }


I receive the following error:
java.lang.NullPointerException at com.ctc.wstx.sw.BaseNsStreamWriter.doWriteDefaultNs(BaseNsStreamWriter.java:528)

I can't find much information about this, although I'm actually receiving the same error when sending non-authenticated messages, so the problem may not be related directly to Rampart. (I originally had Axis2-1.2 running but I had to roll back to Axis2-1.1.1 due to Rampart compatibility).

Any ideas?

[ May 21, 2007: Message edited by: Alan Sunley ]
[ May 21, 2007: Message edited by: Alan Sunley ]

I have a front-end website which consumes the services so when a user inputs a username and password it is saved in a session bean and bundled with each request. Hence the 'user.getUserName()' from the snippet of code above.

Might there be a way of using descriptors for multiple users?

Hi folks,

Does anyone know how to set up handlers and apply a username/password header to a SOAP message using an Axis2 based client?

For instance in Axis 1 I can do the following:

Service service = new Service(); Call call = (Call) service.createCall(); call.setClientHandlers(new WSDoAllSender(),null ); call.setProperty(WSHandlerConstants.ACTION, "UsernameToken"); call.setProperty(WSHandlerConstants.USER,user.getUserName() ); call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,"serviceAccess.DIIPWCallback"); call.setProperty("password", user.getUserPassword()); call.setTargetEndpointAddress("http://localhost:8080/axis/services/WebService"); call.setOperationStyle(Style.RPC); .. etc .. call.invoke ...

Is it possible to do something similar with the Axis2 / Rampart API? I can only find examples that retrieve the username/password information from XML based descriptors.

Thanks Ben

The referer variable is exactly what I need

Hi folks,

This seems to be a relatively simple problem but being somewhat new to JSP I'm not sure how this is typically handled.

Basically is there a way in JSP to return to the previous page (rather than using Javascript)? I want to place 'Back' buttons on pages, and more importantly I have an error-handling page, which in some circumstances I would like to return the user to the page they were previously viewing.

There is a SAAJ example supplied with Axis which constructs a SOAPMessage and passes it to the call method. However I need to implement authentication I'm not sure how I would handle the security headers this way, would it mean implementing it by hand?

Presumably the code below is adding an attachment, but the same problem occurs.

Service service = new Service(); Call call = (Call) service.createCall(); call.setClientHandlers(new WSDoAllSender(),null ); AttachmentPart attachmentPart = new org.apache.axis.attachments.AttachmentPart(); attachmentPart.setDataHandler(newFile); // File attempting to send call.setProperty(WSHandlerConstants.ACTION, "UsernameToken"); call.setProperty(WSHandlerConstants.USER, code ); call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, " client.PWCallback"); call.setTargetEndpointAddress("http://localhost:8080/axis/services/WebService"); call.setOperationStyle(Style.RPC); call.addAttachmentPart(attachmentPart); RPCElement ele1 = new RPCElement("code"); RPCElement ele2 = new RPCElement("newFile"); ele2.setAttribute("href", attachmentPart.getContentId()); RPCElement rpcElement = new RPCElement("updateFile"); rpcElement.setNamespaceURI("http://localhost:8080/axis/services/WebService"; rpcElement.addChildElement(ele1); rpcElement.addChildElement(ele2); Boolean result = (Boolean) call.invoke(rpcElement);
[ March 09, 2007: Message edited by: Alan Sunley ]

Hi again. I have hit a problem with the web service I am creating. I need to invoke a method which includes as a parameter a PDF file. Below is the code I'm using to send the file, and I can send small files (largest I have sent is 12kb), but beyond that file size I get 'java.lang.ArrayIndexOutOfBoundsException: 8192', meaning the end-of-file cannot be reached. Any ideas of what the limiting factor is here, and any possible solution?


FileDataSource ds = new FileDataSource("C:\\testPDF.pdf"); DataHandler pdfFile = new DataHandler(ds); QName qnameAttachment = new QName("urn:WebService", "DataHandler"); call.registerTypeMapping(pdfFile.getClass(),qnameAttachment,JAFDataHandlerSerializerFactory.class, JAFDataHandlerDeserializerFactory.class); call.setTargetEndpointAddress("http://localhost:8080/axis/services/WebService"); call.setOperationStyle(Style.RPC); call.setOperationName(new QName(NAMESPACE, "addPDFFile")); call.addParameter("code",Constants.XSD_STRING, ParameterMode.IN); call.addParameter("pdfFile", qnameAttachment, ParameterMode.IN); call.setReturnType(Constants.XSD_BOOLEAN); try { Boolean result = (Boolean) call.invoke(new Object[] {code, pdfFile}); return result.booleanValue(); }

Looking at the deployment descriptor, would that mean I need to know which users will access the service as you have defined a user, or have I misunderstood how that works? I'm also still not sure how to define a non- WS-sec handler. I'm still wearing my rookie badge as you may tell.

On reflection I think it would be best to authenticate each message because, as you say it is a better security practice, although I also don't want to leave my understanding of this issue unresolved.