SOAP WS authentication in Websphere - web-services

I'm new to both SOAP WS and Websphere Application Server(8.5).
I have a web service which is currently accessed over http and my objectives are :
Changing the access protocol from http to https
Implementing the authentication for the users which are located in an Active Directory group
I went through several stackoverflow threads like this and I also tried attaching 'policy set' to the web service and somehow now its accessible only over https despite of detaching policy sets. Then, I also created custom policy sets and bindings as per IBM developer blog but every time I invoke the WS (using SOAP UI) as follows :
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v1="http://xmlns.scania.com/logistics/schema/transport/v1">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-7AEC79B67DC85BBB5A14210677185104">
<wsse:Username>12345</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">12345</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<v1:TransportInformationRequest>
<!--1 or more repetitions:-->
<v1:ChassisNumber>2105909</v1:ChassisNumber>
</v1:TransportInformationRequest>
</soapenv:Body>
</soapenv:Envelope>
I get an error on the server side :
Oracle Database Vault and Real Application Testing options ,Oracle JDBC driver 11.2.0.2.0).
[2015-01-12 14:17:09:525 CET] 000000b1 AxisEngine E org.apache.axis2.engine.AxisEngine receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:338)
at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:260)
at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:103)
at org.apache.axis2.jaxws.server.JAXWSMessageReceiver.receive(JAXWSMessageReceiver.java:161)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:208)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at com.ibm.ws.websvcs.transport.http.WASAxis2Servlet.doPost(WASAxis2Servlet.java:1583)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1227)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:776)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:458)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1032)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:909)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1662)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:459)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:526)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:312)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:283)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1048)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:716)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:412)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:1066)
at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:87)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1862)
When I remove the header and simply pass the body, the response is correct.
I understand that the web service isn't configured properly to handle the header but I'm really not able establish the way I should proceed.
Any relevant inputs are welcome.

If your application is JAX-WS and your active directory is your websphere registry, you can follow this article to add WS-Security constraints for a UsernameToken:
http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/twbs_stand_alone_security_token.html
If active directory is not your WebSphere registry, then you must also do this and write code to do the authentication to AD in custom code:
http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/twbs_replace_authmethod_usernametoken.html
If you had to do that 2nd step there and you also want WebSphere credentials for the user, you must do this:
http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/twbs_config_wssec_caller_no_reg.html
In order to get HTTPS, at the point in the 1st article when you were adding the WS-Security policy type to the policy set, you would also add the SSLTransport policy type.

Related

Unable to invoke WSO2 API Manager 1.10 admin services

I have enabled the admin services from carbon.xml for API Manager and extracted the wsdl successfully. Now I am trying to invoke the service RemoteTenantManagerService using SOAP UI. I have loaded the wsdl in SOAP UI and also provided the Basic authentication Username/Password as admin/admin. But I am getting following message back. Port for API Manager is Offset 1
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getAllTenants/>
</soapenv:Body>
</soapenv:Envelope>
Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>The service cannot be found for the endpoint reference (EPR) /services/RemoteTenantManagerService.RemoteTenantManagerServiceHttpsSoap11Endpoint</faultstring>
<detail/>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
There are two types of transports, PassThrough and servlet. The admin services are exposed through servlet transport. Hence those must be invoked using servlet transport port.
For ex:- https://{host}:9443/services/RemoteTenantManagerService
In your case you have set offset to the "1" so please call the service using the URL https://{host}:9444/services/RemoteTenantManagerService
The generated WSDL contains the endpoint with Passthrough port hence soapUI shows it as the default endpoint. Please change the port to servlet port (your case it should be 9444) and run again.

Enable WS Security Authentication in SOAP UI mockService

I am trying to create a mockWebservice which should Authenticate UserName,password sent in the SOAP Request xml header.
My request xml will look like this
<s11:Envelope xmlns:s11="http://schemas.xmlsoap.org/soap/envelope/">
<s11:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>User_Name</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:Action xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">DeliverAccountInvestigationCaseStatus</wsa:Action>
<wsa:To xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">http://rp.baml.com</wsa:To>
<wsa:MessageID xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">Test from APP_NAME</wsa:MessageID>
</s11:Header>
<s11:Body>
<tns:DeliverAccountInvestigationCaseStatusRequest xsi:schemaLocation="http://rp.baml.com/data/DeliverAccountInvestigationCaseStatusV001 DeliverAccountInvestigationCaseStatusV001.xsd" xmlns:tns="http://rp.baml.com/data/DeliverAccountInvestigationCaseStatusV001" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<tns:ReferenceNumber type="GSS">1-</tns:ReferenceNumber>
<tns:TimeStamp>2014-01-31</tns:TimeStamp>
<tns:Status></tns:Status>
<tns:Resolution></tns:Resolution>
<tns:Comment>Test</tns:Comment>
</tns:DeliverAccountInvestigationCaseStatusRequest>
</s11:Body>
</s11:Envelope>
My Webservice should throw error if, username or password is not correct in the header.
When you mock a response you are simulating a response to a service's request. You normally mock when you cannot reach one of the supporting web services or it has not yet been built.
What this means is that you can mock any kind of response. If you need to validate the username and password, you will have to write that validation code yourself.
Check out soapUI.org's service mocking guide for some background on mocking.

wso2: ws-discovery integration

WSO2 WS-Discovery Integration
We're trying to integrate WS-Discovery with the Carbon products WSO2 Governance Registry and WSO2 ESB having
Apache CXF Web Service stack configured via Spring running on a Tomcat sending hello messages to the
Discovery Proxy (localhost:9443/services/DiscoveryProxy) on WSO2 Greg.
Therefore we added cxf-services-ws-discovery-service.jar and cxf-services-ws-discovery-api.jar to the
classpath in Tomcat. Further we set the spring bus property org.apache.cxf.service.ws-discovery.address
to the URL address of the WS-Discovery Proxy on WSO2 Greg to run WS-Discovery in managed mode. By running
Tomcat and WSO2 Greg following error messages is logged in wso2Carbon.log (WSO2 Greg) ...
TID: [0] [Greg] [2013-07-15 11:45:03,411] INFO {org.wso2.carbon.discovery.proxy.DiscoveryProxy} - Service Discovery Failed. Retrying after 10s. {org.wso2.carbon.discovery.proxy.DiscoveryProxy}
TID: [0] [Greg] [2013-07-15 11:45:03,458] ERROR {org.wso2.carbon.governance.api.common.GovernanceArtifactManager} - Failed to add artifact: artifact id: urn:uuid:003aa9d9-2c9f-4e0b-8415-c99632226ee3, path: /trunk/services/org/oasis_open/docs/ws_dd/ns/discovery/_2009/_01/DiscoveredService_1373881503442. An exception occurred while executing handler chain. String index out of range: -1 {org.wso2.carbon.governance.api.common.GovernanceArtifactManager}
org.wso2.carbon.registry.core.exceptions.RegistryException: An exception occurred while executing handler chain. String index out of range: -1
at org.wso2.carbon.registry.core.jdbc.handlers.HandlerManager.put(HandlerManager.java:2525)
at org.wso2.carbon.registry.core.jdbc.handlers.HandlerLifecycleManager.put(HandlerLifecycleManager.java:1005)
at org.wso2.carbon.registry.core.jdbc.EmbeddedRegistry.put(EmbeddedRegistry.java:697)
at org.wso2.carbon.registry.core.caching.CacheBackedRegistry.put(CacheBackedRegistry.java:465)
at org.wso2.carbon.registry.core.session.UserRegistry.put(UserRegistry.java:658)
at org.wso2.carbon.governance.api.common.GovernanceArtifactManager.addGovernanceArtifact(GovernanceArtifactManager.java:155)
at org.wso2.carbon.governance.api.services.ServiceManager.addService(ServiceManager.java:116)
at org.wso2.carbon.discovery.util.DiscoveryServiceUtils.addService(DiscoveryServiceUtils.java:152)
at org.wso2.carbon.discovery.proxy.DiscoveryProxy$1.run(DiscoveryProxy.java:89)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(String.java:1911)
at org.wso2.carbon.registry.extensions.handlers.utils.EndpointUtils.deriveEndpointFromUrl(EndpointUtils.java:674)
at org.wso2.carbon.registry.extensions.handlers.utils.EndpointUtils.saveEndpoint(EndpointUtils.java:483)
at org.wso2.carbon.registry.extensions.handlers.utils.EndpointUtils.saveEndpointsFromServices(EndpointUtils.java:280)
at org.wso2.carbon.registry.extensions.handlers.ServiceMediaTypeHandler.put(ServiceMediaTypeHandler.java:353)
at org.wso2.carbon.registry.core.jdbc.handlers.HandlerManager.put(HandlerManager.java:2503)
... 14 more
We tried to solve this issue for several hours by reading WSO2 product documentation and searching through
several forums, blogs etc. . Unfortunely we couldn't find a solution.
Remark: WS-Discovery integration with WSO2 Application Server instead of Tomcat just worked fine.
But when using WSO2 ESB as an discovery client to discover services from WSO2 Greg the wizard to create proxy services out of the
discoverd services on WSO2 ESB is missing the publishWSDL xml tag after creating the proxy. This tag must be added
manually. Is there a way to get this done without editing this additionally??
We would be grateful for any help.
Thanks in advance
Thank you for your quick reply
We intercepted the hello requests sent to WSO2 GReg via Tomcat and the WSO2 Application server. For this purpose we used soapUI mock
services. The message requests of the soap envelopes look as follows ...
Tomcat:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:tns="http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01">
<soap:Header>
<wsa:Action>http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01/Hello</wsa:Action>
<wsa:MessageID>urn:uuid:e01ce7dc-53c0-4b36-b7d5-0e84e3bd6a5d</wsa:MessageID>
<wsa:To>https://localhost:9443/services/DiscoveryProxy</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/none</wsa:Address>
</wsa:ReplyTo>
</soap:Header>
<soap:Body>
<ns2:Hello xmlns="http://www.w3.org/2005/08/addressing" xmlns:ns2="http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01">
<EndpointReference>
<Address>urn:uuid:be46c1fc-1646-4bcc-8715-1aed4040fdd5</Address>
<ReferenceParameters/>
</EndpointReference>
<ns2:Types xmlns:ns3="http://user.service.scheck.server.tia/">ns3:IZ3UserService</ns2:Types>
<ns2:Scopes/>
<ns2:XAddrs>/userService</ns2:XAddrs>
<ns2:MetadataVersion>1</ns2:MetadataVersion>
</ns2:Hello>
</soap:Body>
</soap:Envelope>
WSO2 Application Server:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<mns:serviceName xmlns:mns="http://www.wso2.org/ws/discovery">echo</mns:serviceName>
<mns:wsdlURI xmlns:mns="http://www.wso2.org/ws/discovery">http://10.200.2.114:9764/services/echo?wsdl</mns:wsdlURI>
<wsa:To>https://localhost:9443/services/DiscoveryProxy</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/none</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:d21e108b-34a2-4313-8b12-a22015567a51</wsa:MessageID>
<wsa:Action>http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01/Hello</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wsd:Hello xmlns:wsd="http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>urn:uuid:439a1cd5-fb36-40e2-a54e-e0cb7f3409e4</wsa:Address>
</wsa:EndpointReference>
<wsd:Types xmlns:axis2ns1="http://echo.services.core.carbon.wso2.org">axis2ns1:echoPortType</wsd:Types>
<wsd:Scopes>http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01/DefaultScope</wsd:Scopes>
<wsd:XAddrs>https://10.200.2.114:9444/services/echo http://10.200.2.114:9764/services/echo</wsd:XAddrs>
<wsd:MetadataVersion>1</wsd:MetadataVersion>
</wsd:Hello>
</soapenv:Body>
</soapenv:Envelope>
Comparing both message requests we noticed that there are some tags missing like serviceName, wsdlURI and most important
in our opinion the XAddrs. By adding the XAddrs manually to an soapUI request we were able to register the cxf service
on WSO2 GReg. Maybe you can give us an advice how this could be achieved by configuring cxf via spring or by annotating our
web service implementations.
Thanks again..this helped us very much!!

How can I add WSSE Header to my Web Service Client?

I want to add wsse Security header to my web service client on ASP 3.5. I test the web service from SoapUI using this Soap Envelope and get an answer:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:comp="http://myCompany.org.tr"> <soapenv:Header xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
<wsse:Username>MyUsername</wsse:Username>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
(Body Info.)
</soapenv:Body>
</soapenv:Envelope>
I want to create this envelope through classic Web Service Reference which created by Visual Studi 2012. Which class should I use to add Username Info to my envelope?
Thank you John, and Ladislav.
Turns out that you should add the header via web.config file to get properly ordered SOAP message. Otherwise .Net tries to nest your code with its own capsulation (even you dont ask for it), and sends some rubbish as a result.

Glassfish, EJB3, SOAP web service and basic authentication

I'm setting up a glassfish server with a single EJB3 as a mocked up backend for a POC. Everything was working fine until I went to add some basic authentication. Just plan text userid and password, nothing sophisticated for this job. I added the following annotations to the EJB:
#WebService(name = "Banking", serviceName = "Banking", targetNamespace = BANKING_NAMESPACE)
#DeclareRoles("user")
#Stateless
public class Banking {
...
#RolesAllowed("user")
#SOAPBinding(parameterStyle = ParameterStyle.BARE)
#WebMethod(action = BANKING_NAMESPACE + "/logon", operationName = "logon")
#WebResult(targetNamespace = XmlStrings.BANKING_MODEL_NAMESPACE)
public LogonResponse logon(#WebParam(targetNamespace = XmlStrings.BANKING_MODEL_NAMESPACE) Logon request) throws WebServiceException {
...
}
}
According to what I've read of EJB3 spec, this is pretty common for doing a SOAP web service.
However when I send this xml:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mod="http://www.dhcbank.com/banking/model">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-79" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>fred</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">fred</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<mod:logon/>
</soapenv:Body>
</soapenv:Envelope>
I get the following error back as a SOAP fault:
java.lang.Exception: Client not authorized for invocation of public com.dhcbank.www.banking.schema.LogonResponse com.dhcbank.www.banking.Banking.logon(com.dhcbank.www.banking.schema.Logon) throws javax.xml.ws.WebServiceException
And in the glassfish log:
[#|2010-10-10T12:49:27.497+1100|INFO|glassfish3.0.1|javax.enterprise.system.core.security|_ThreadID=41;_ThreadName=http-thread-pool-8080-(2);|JACC Policy Provider: Failed Permission Check, context(BankingEAR/Banking_war_internal)- permission((javax.security.jacc.EJBMethodPermission Banking logon,ServiceEndpoint,com.dhcbank.www.banking.schema.Logon))|#]
In the glassfish admin screens I added a user called fred with a fred password and assigned it to a groups called user. But that didn't work.
I did some more reading which suggested that I create a sun-ejb-jar.xml file and add it to the ear file. So I created it with this content:
<sun-ejb-jar>
<enterprise-beans>
<ejb>
<ejb-name>Banking</ejb-name>
<webservice-endpoint>
<port-component-name>Banking</port-component-name>
<login-config>
<auth-method>BASIC</auth-method>
<realm>file</realm>
</login-config>
</webservice-endpoint>
</ejb>
</enterprise-beans>
</sun-ejb-jar>
This is as near as I can tell, correct. However I could not find anything that told me what the values of the port-component-name element should be. So I don't know if I've got it right.
Security does still not appear to be working and I cannot figure out why. Does anyone have any experience with this and can point me at what I've got wrong or not done?
I'm assuming your declared role "user" is the same role name in your file realm? if not provide this mapping in your descriptor:
<sun-ejb-jar>
<security-role-mapping>
<role-name>user</role-name>
<group-name>filerealm-group-name</group-name>
</security-role-mapping>
...
I don't think that you're currently creating the appropriate HTTP header for Basic Authentication. I'm not sure how you create the SOAP request but if you're using a JAX-WS client, the JAX-WS FAQ documents the following:
Q. How do I do basic authentication in JAX-WS?
You can do the following:
HelloService service = new HelloService();
Hello proxy = (service.getHelloPort());
((BindingProvider)proxy).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "userfoo");
((BindingProvider)proxy).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "passbar");
USERNAME_PROPERTY, PASSWORD_PROPERTY
are used primarily for service
requests. I think when you instantiate
Service, it fetches WSDL and the
server is returning 401. You could try
any one of the following solutions.
Use java.net.Authenticator class in your client application.
Provide a local access to the WSDL using catalog. There is a catalog
sample in the jax-ws distribution.
Configure web.xml to allow GET requests without authentication
And unless I'm wrong, the usernametoken would fit if the webservice expects the authentication in the SOAP header, which is not the case according to your description.
In other words, for me, you're currently not sending the credentials for the BASIC auth.
See also
Example: Basic Authentication with JAX-WS
SSL and HTTP BASIC authentication with Glassfish and JAX-WS (more complex scenario)