Problem authenticating SOAP usernameToken

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem authenticating SOAP usernameToken

capozx
This post was updated on .
Hi, i'm a trying to develop a SOAP web service, but i'm having trouble
authenticating the UsernameToken included in every SOAP message header.My
tomEE server version is tomEE plus 7.0.5.According to the documentation,
WS-SecurityPolicy does the necessary work to handle security, after a proper
configuration.I do configuration through Endpoint Property Annotations, in
the following way:

@WebService(targetNamespace = "http://tempuri.org/", name = "MyService")


@EndpointProperties(value = {
        @EndpointProperty(key = "ws-security.callback-handler", value = "org.tempuri.ServerPasswordCallback")
        //@EndpointProperty(key = "ws-security.validate.token", value = "false")
    }
)


public interface MyService {
...
}

The ServerPasswordCallback is:

public class ServerPasswordCallback implements CallbackHandler {

    public ServerPasswordCallback() {
        System.out.println("Instantiating ServerPasswordCallback");
    }

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {

        System.out.println("Validating on ServerPasswordCallback");

        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

        if (pc.getIdentifier().equals("joe")) {
            // set the password on the callback. This will be compared to the
            // password which was sent from the client.
            pc.setPassword("password");
        }
    }

}

The problem is that i get the following exception:

Caused by: org.apache.wss4j.common.ext.WSSecurityException: The security token could not be authenticated or authorized
        at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:176)
        at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:136)
        at org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:94)

The sent message's header is:

<?xml version="1.0"?>
<soapenv:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:UsernameToken wsu:Id="UsernameToken-3B91E43693FA4F34C61536922750459149">
      <wsse:Username>joe</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
      <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">ey+3J+OKoHlhfqREn7Q8jw==</wsse:Nonce>
      <wsu:Created>2018-09-14T10:59:10.459Z</wsu:Created>
    </wsse:UsernameToken>
    <wsu:Timestamp wsu:Id="TS-3B91E43693FA4F34C61536922750459148">
      <wsu:Created>2018-09-14T10:59:10.459Z</wsu:Created>
      <wsu:Expires>2018-09-14T10:59:15.459Z</wsu:Expires>
    </wsu:Timestamp>
  </wsse:Security>
</soapenv:Header>

The strange thing is that seems that ServerPasswordCallback is never instantiated, and handle() is never called.
If in the Endpoint properties annotations i set ws-security.validate.token to false, the former Exception is thrown, even if this
property should prevent Token validation.
That fact make me think that annotations are not working, but i can't figure out why.
Is this the correct way of authenticating a UsernameToken?
Are the Endpoint properties annotations correct?
Reply | Threaded
Open this post in threaded view
|

Re: Problem authenticating SOAP usernameToken

jgallimore
Its a bit hard to read your email - my guess is it got reformatted
somewhere along the line. Are you able to attach a sample project for us to
dig into?

Thanks

Jon

On Fri, Sep 14, 2018 at 12:14 PM capozx <[hidden email]> wrote:

> Hi, i'm a trying to develop a SOAP web service, but i'm having trouble
> authenticating the UsernameToken included in every SOAP message header.My
> tomEE server version is tomEE plus 7.0.5.According to the documentation,
> WS-SecurityPolicy does the necessary work to handle security, after a
> proper
> configuration.I do configuration through Endpoint Property Annotations, in
> the following way: @WebService(targetNamespace = "http://tempuri.org/",
> name
> = "MyService")@EndpointProperties(value = {        @EndpointProperty(key =
> "ws-security.callback-handler", value =
> "org.tempuri.ServerPasswordCallback")        //@EndpointProperty(key =
> "ws-security.validate.token", value = "false")    })public interface
> MyService {...}The ServerPasswordCallback is:public class
> ServerPasswordCallback implements CallbackHandler {    public
> ServerPasswordCallback() {        System.out.println("Instantiating
> ServerPasswordCallback");    }    public void handle(Callback[] callbacks)
> throws IOException,            UnsupportedCallbackException {
> System.out.println("Validating on ServerPasswordCallback");
> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];        if
> (pc.getIdentifier().equals("joe")) {            // set the password on the
> callback. This will be compared to the            // password which was
> sent
> from the client.            pc.setPassword("password");        }    }}The
> problem is that i get the following exception:Caused by:
> org.apache.wss4j.common.ext.WSSecurityException: The security token could
> not be authenticated or authorized      at
>
> org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:176)
> at
>
> org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:136)
> at
>
> org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:94)The
> sent message's header is: <?xml version="1.0"?>            joe
> password
> ey+3J+OKoHlhfqREn7Q8jw==      2018-09-14T10:59:10.459Z
> 2018-09-14T10:59:10.459Z      2018-09-14T10:59:15.459Z      The strange
> thing is that seems that ServerPasswordCallback is never instantiated, and
> handle() is never called.If in the Endpoint properties annotations i set
> ws-security.validate.token to false, the former Exception is thrown, even
> if
> thisproperty should prevent Token validation.That fact make me think that
> annotations are not working, but i can't figure out why.Is this the correct
> way of authenticating a UsernameToken?Are the Endpoint properties
> annotations correct?
>
>
>
> --
> Sent from:
> http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Problem authenticating SOAP usernameToken

capozx
Hi Jon, thanks for your reply. I'm sorry for the poor formatting of my
question.

I created a repository with a Sample Project, the link is
https://github.com/capozx/WSDLTest
Thank you.

Dario



--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html