I want to build a simple example webservice that is protected by username and password.
As a starting point I used: https://docs.jboss.org/author/display/JBWS/WS-Security
The problem: every client even with wrong or missing credentials can invoke the web service methods. So the #EndpointConfig seems to have no effect.
But I don't know how to dig deeper because I couldn't get more detailed information about the web service config by debugging and the jboss admin console.
Webservice class:
#WebService(serviceName="MyWebService", portName="MyWebServicePort")
#EndpointConfig(configFile = "WEB-INF/jaxws-endpoint-config.xml", configName = "myconfig")
public class MyWebService{...}
jaxws-endpoint-config.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:javaee="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
<endpoint-config>
<config-name>myconfig</config-name>
<property>
<property-name>ws-security.username</property-name>
<property-value>myusername</property-value>
</property>
<property>
<property-name>ws-security.password</property-name>
<property-value>mypassword</property-value>
</property>
</endpoint-config>
</jaxws-config>
Any suggestion to get unauthorized clients denied?
You basically need to publish your policy in your WSDL.
You have to add under binding section of your WSDL.
<binding name="SecurityServicePortBinding" type="tns:ServiceIface">
<wsp:PolicyReference URI="#SecurityServiceSignThenEncryptPolicy"/>
...
</binding>
And add the policy definition itself in your WSDL like.
<wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
....
</wsp:ExactlyOne>
</wsp:Policy>
When you hit your service URL (e.g. http://localhost:8080/yourservice?wsdl), you should be able to see the policy reference in the returned WSDL. Otherwise, no authentication/encryption happens.
Related
I managed to create a web service with self signed SSL through IIS. It's settings at first are set to Client Certificate to none and none required SSL. It is accessible by that time threw web browser and mobile web reference.
Web Browser
Xamarin Web Reference
But when I set the SSL settings to required, it is now forbidden in both. What am I missing in settings for SSL Configuration?
SSL Settings Thru IIS
Web Browser Forbidden Access
Xamarin Web Reference Forbidden Access
WebConfig
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<connectionStrings>
<add name="constring" providerName="System.Data.SqlClient" connectionString="Data Source = source;Initial Catalog = dbname; User ID = user; Password = pw" />
</connectionStrings>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation targetFramework="4.5" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding maxReceivedMessageSize="10485760" name="SecureHttpBinding">
<readerQuotas maxStringContentLength="10485760"></readerQuotas>
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
To access web service via HTTPS in web browser, I followed this link for creating temporary client certificate but I changed the step #5 to this command
makecert -sk MyKeyName -iv RootCaClientTest.pvk -n "CN=tempClientcert" -ic RootCaClientTest.cer -sr localmachine -ss my -sky exchange -pe
I changed the currentuser to localmachine and signature to exchange so that it will be in personal certificate store. When you access the site again, it will ask for client certificate and you can choose it to proceed.
For the main problem to access the service in visual studio xamarin via web reference (which is forbidden somehow).
I found this link to solve the forbidden problem. You can see the second post of (c)MarkoOkram for the solution.
"I am solved problem by saving web browser .wsdl and .xsd files on file system, change reference in those files to matching files. Than i succesfully add reference in visual studio to that file system .wsdl file." -(c) MarkoOkram
I downloaded the file WSDL and XSDs written in WSDL then retarget the filepath to their respective directories and it's done.
update: I also tried to import singleWSDL and it works without editing for xsd's
I'm implementing a web service using camel cxf to be deployed in Karaf.
I'm using the pax web that comes with karaf. I'm using the cxf codegen plugin in pom to do wsdl to java.
I'm defining the cxf uri and the routes in the RouteBuilder Java DSL. The blueprint.xml only has some beans and ref to the RouteBuilder.
final String cxfUri =
String.format("cxf:%s?serviceClass=%s&wsdlURL=wsdl/Event.wsdl",
"/Event.jws", com.example.EventPortType.class.getCanonicalName());
I have setup ssl with the pax-web(jetty.xml). If i send the WSSE security headers with username and password, it generates a MustUnderstand soap fault.
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-LdZa8aaGdy7mWQWXLp_zpbfg">
<wsse:Username>xxx</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxx</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
The input request cannot be changed.
I get this exception.
<soap:Fault>
<faultcode>soap:MustUnderstand</faultcode>
<faultstring>MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.</faultstring>
</soap:Fault>
How can i secure the cxf endpoint to authenticate the request?
Thank you.
you need to add a WSS4J interceptors to the exposed CXF service. You can provide your own PasswordCallback for the user validation, but I prefer to leverage the native JAAS. This is a blueprint example requiring the UsernameToken with any Karaf user (this is for exposing a camel-cxf routes, however the same principle applies to the pure CXF implementation). If you prefer Java based Camel route builders, you may add the interceptor beans to the context registry to use them. But - the blueprint (or spring config) allows you to more fine-grained control than simple endpoint parameters.
<?xml version="1.0" encoding="UTF-8"?>
<blueprint
xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cxf="http://cxf.apache.org/blueprint/core"
xmlns:camelcxf="http://camel.apache.org/schema/blueprint/cxf"
xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"
xmlns:jaxws="http://cxf.apache.org/blueprint/jaxws"
xsi:schemaLocation="
http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
http://camel.apache.org/schema/cxf http://camel.apache.org/schema/cxf/camel-cxf.xsd http://camel.apache.org/schema/blueprint
http://camel.apache.org/schema/blueprint/camel-blueprint.xsd http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0
http://svn.apache.org/repos/asf/aries/trunk/blueprint/blueprint-cm/src/main/resources/org/apache/aries/blueprint/compendium/cm/blueprint-cm-1.1.0.xsd
http://cxf.apache.org/blueprint/core http://cxf.apache.org/schemas/blueprint/core.xsd
http://cxf.apache.org/blueprint/jaxws http://cxf.apache.org/schemas/blueprint/jaxws.xsd
http://camel.apache.org/schema/blueprint/cxf http://camel.apache.org/schema/cxf/camel-cxf-2.7.5.xsd">
<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
<property name="contextName" value="karaf"/>
<property name="roleClassifier" value="RolePrincipal"/>
<property name="roleClassifierType" value="classname"/>
</bean>
<bean id="wsSecInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<argument>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordText"/>
</map>
</argument>
</bean>
<!-- ================ Apache Camel impl ======================= -->
<camelcxf:cxfEndpoint id="testService2"
address="/api/2.0/external/TestService"
xmlns:apogado="http://test.ws.apogado.com/v1_0/ws"
endpointName="apogado:AddressServicePort"
serviceName="apogado:AddressService"
wsdlURL="classpath:/xsd/ws/TestService.wsdl"
>
<camelcxf:properties>
<entry key="dataFormat" value="PAYLOAD" />
<entry key="ws-security.ut.no-callbacks" value="true"/>
<entry key="ws-security.validate.token" value="false"/>
</camelcxf:properties>
<camelcxf:inInterceptors>
<ref component-id="wsSecInterceptor" />
<ref component-id="authenticationInterceptor"/>
</camelcxf:inInterceptors>
<camelcxf:features>
</camelcxf:features>
</camelcxf:cxfEndpoint>
<camelContext xmlns="http://camel.apache.org/schema/blueprint" id="testWsCtx" trace="true">
<!-- your service implementation -->
<route>
<from uri="testService2" />
<to uri="..." />
<route>
</camelContext>
</blueprint>
I'm unable to test a web service that has a Security Policy attached. I have been required to develop several Web Services and protect them with simple user and password. There is no further security requeriments (no encription, no SSL, etc).
In order to test the security bits, I built a dummy web service with top-down method using jDeveloper11G. The simple service works and can be tested vía HTTP analyzer and invoked with SoapUI while running in the integrated WebLogic server. The service also works when deployed to a stand alone WebLogic 10.3.6.0 server.
Then I try to attach security policies. I have succesfully attached using two methods:
1) At development time by adding the #Policy annotation
2) After deployment using the WLS console, going to the Web Service Configuration tab, then WS-Policy and attaching a policy and letting the console update the deployment plan as per instructed in this document.
(After any of these options the HTTP Analyzer is unable to test the service as it doesn't generate the SOAP stucture form to fill in the parameters, nor it allows to paste the text for a request. The Test applet in the server console can't access the WSDL either, so I'm left with SoapUI only)
I conclude that the attachment is correct because when consulting the WSDL from the server, it has Polici related nodes, where the original I wrote doesn't.
The problem comes when I test with SoapUI 5.0.0.
If I don't add any type of user/password information, the response contains:
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>Unknown exception, internal system processing error.</faultstring>
</env:Fault>
If I add the following headers:
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>usertext</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">passwordtext</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
then the response changes to:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Error codes: 3001 4001 3201 1008 1028 Error code:3001</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
If I add the security information in the properties of the request without removing the headers I added manually to the request then the response becomes:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Error on verifying message against security policy Error code:1025</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
The properties I change are: Username, Password, Domain, WSS-Password type (PasswordText), WSS-TimeToLive(50000). The property Authentication Type shows the fixed value "No Authorization" and cannot be changed.
If at this point I remove the manually added header the response becomes the same as the second response I included.
I have tried the following pre defined policies:
Wssp1.2-2007-Wss1.1-UsernameToken-Plain-X509-Basic256.xml
Wssp1.2-2007-Wss1.0-UsernameToken-Plain-X509-Basic256.xml
Wssp1.2-2007-Https-BasicAuth.xml
Wssp1.2-2007-Https-UsernameToken-Plain.xml
(The last two produce a different error related to the SSL configuration of the server)
I have also made several searches of wsse:InvalidSecurity, and the related error codes in the fault string, but have obtained no relevant information.
I have read several Oracle Docs (such like E17904_01, E23943_01, E12461_01), but there is no information on what to do after attaching the policies nor I find specific informaion on how to modify the request in order to fulfill the security requirements. Also made several searches for examples or the errors I get in this site and others.
So the question is What further steps are needed to be able to invoke this web service while protecting it with plain text user and password?
Secondary question is where do I specify which users can access the service? At the moment I assume that any user in the default realm will have access and so I'm testing with a user for wich I now the password in the default security realm "myrealm".
The wsdl as returned by the server after the policy is attached follows:
<!--
Published by JAX-WS RI at http://jax-ws.dev.java.net. RI's version is Oracle JAX-WS 2.1.5.
-->
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="asegurado.institution.org" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" targetNamespace="asegurado.institution.org">
<wsp:UsingPolicy wssutil:Required="true" />
<wsp:Policy wssutil:Id="Wssp1.2-2007-Wss1.0-UsernameToken-Plain-X509-Basic256.xml">
<ns0:AsymmetricBinding xmlns:ns0="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns0:InitiatorToken>
<wsp:Policy>
<ns0:X509Token ns0:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns0:WssX509V3Token10/>
</wsp:Policy>
</ns0:X509Token>
</wsp:Policy>
</ns0:InitiatorToken>
<ns0:RecipientToken>
<wsp:Policy>
<ns0:X509Token ns0:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<ns0:WssX509V3Token10/>
</wsp:Policy>
</ns0:X509Token>
</wsp:Policy>
</ns0:RecipientToken>
<ns0:AlgorithmSuite>
<wsp:Policy>
<ns0:Basic256/>
</wsp:Policy>
</ns0:AlgorithmSuite>
<ns0:Layout>
<wsp:Policy>
<ns0:Lax/>
</wsp:Policy>
</ns0:Layout>
<ns0:IncludeTimestamp/>
<ns0:ProtectTokens/>
<ns0:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</ns0:AsymmetricBinding>
<ns0:SignedEncryptedSupportingTokens xmlns:ns0="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns0:UsernameToken ns0:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns0:WssUsernameToken10/>
</wsp:Policy>
</ns0:UsernameToken>
</wsp:Policy>
</ns0:SignedEncryptedSupportingTokens>
<ns0:Wss10 xmlns:ns0="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns0:MustSupportRefKeyIdentifier/>
<ns0:MustSupportRefIssuerSerial/>
</wsp:Policy>
</ns0:Wss10>
</wsp:Policy>
<types>
<xsd:schema>
<xsd:import namespace="asegurado.institution.org" schemaLocation="http://hn-apli-dev:7001/Asegurado/asegurado?xsd=1" />
</xsd:schema>
</types>
<message name="intentarRequest">
<part name="request" type="tns:intentarRequest" />
</message>
<message name="intentarResponse">
<part name="response" type="tns:intentarResponse" />
</message>
<portType name="asegurado">
<operation name="intentar">
<input message="tns:intentarRequest" />
<output message="tns:intentarResponse" />
</operation>
</portType>
<binding name="aseguradoBinding" type="tns:asegurado">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<operation name="intentar">
<wsp:PolicyReference URI="#Wssp1.2-2007-Wss1.0-UsernameToken-Plain-X509-Basic256.xml" />
<soap:operation style="document" soapAction="asegurado.isntitution.org/intentar" />
<input>
<soap:body use="literal" parts="request" />
</input>
<output>
<soap:body use="literal" parts="response" />
</output>
</operation>
</binding>
<service name="ServicioAsegurado">
<port name="asegurado" binding="tns:aseguradoBinding" />
</service>
</definitions>
I'm a beginner, I have a mule flow, in which i would like to call SOAP web service operation which has 4 input arguments
"public double calculateInterest(double principal, double year, double rate, int appid)".
I tried using a file or http endpoint where i end up in String array, or object array while using set payload.
the exception thrown is
cannot be cast to java.lang.Double. Failed to route event via endpoint: org.mule.module.cxf.CxfOutboundMessageProcessor. Message payload is of type: String[]
Could somebody suggest the best way to do it.
you can configure file or http inbound, write a java component (remove cxf component), extract parameters from payload, cast in the required type and call web-service method from the component.
see here is an example of a simple webservice :-
<mule xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:cxf="http://www.mulesoft.org/schema/mule/cxf" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:spring="http://www.springframework.org/schema/beans" xmlns:core="http://www.mulesoft.org/schema/mule/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="CE-3.3.0" xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/cxf http://www.mulesoft.org/schema/mule/cxf/current/mule-cxf.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd ">
<flow name="getCalculationFlow1" doc:name="getCalculationFlow1">
<http:inbound-endpoint exchange-pattern="request-response" host="localhost" port="8081" path="getCalculation" doc:name="HTTP"/>
<cxf:jaxws-service serviceClass="com.services.getcalculation.v1.GetCalculation" doc:name="SOAP"/>
<component class="com.services.schema.getcalculation.v1.GetCalculationImpl" doc:name="Java"/>
</flow>
</mule>
where com.services.getcalculation.v1.GetCalculation is the webservice class which is generated using Apache CXF from WSDL files and com.services.schema.getcalculation.v1.GetCalculationImpl is the implemantation class of webservice ... hope this help
I'm connecting to a secure service.
I have a SOAP UI project configured to use a jks file to provide the certificate, along with appropriate security settings to allow me to get a valid response.
I've have used AXIS 2 and Rampart to create a SOAP request from a JAVA project.
Using TCPMon I've managed to grab the SOAP request.
When the request runs in the JAVA project, I just get the response:
org.apache.axis2.AxisFault: Missing wsse:Security header in request
but if I take the same request, captured in TCPMon and put it in a SOAP UI project, I get a response successfully.
Anyone got any ideas?
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1">
<wsu:Created>2012-06-01T15:09:12.520Z</wsu:Created>
<wsu:Expires>2012-06-01T15:14:12.520Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-ECDB0E....01">
MIID4DCCA0mgAwIBAgIBFjAN....</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#Id-15..93">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>
3wgvhJ8SI2soC..IA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>
VlzDT69YEl..qTlbj0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ZCRypw/..=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-ECD..2">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-ECDB0E6..6193">
<wsse:Reference URI="#CertId-ECDB0E..01"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-15..3"><ns2:ProductSearchV2Request xmlns:ns2="http://product.webservice.sxc.com">
<ns2:Strength>900</ns2:Strength>
<ns2:MaximumResultSetInd>true</ns2:MaximumResultSetInd>
<ns2:MaximumResultSet>100</ns2:MaximumResultSet>
</ns2:ProductSearchV2Request>
This is the WS-POLICY document that I'm using:
<?xml version="1.0" encoding="UTF-8"?>
<!--
!
! Copyright 2006 The Apache Software Foundation.
!
! Licensed under the Apache License, Version 2.0 (the "License");
! you may not use this file except in compliance with the License.
! You may obtain a copy of the License at
!
! http://www.apache.org/licenses/LICENSE-2.0
!
! Unless required by applicable law or agreed to in writing, software
! distributed under the License is distributed on an "AS IS" BASIS,
! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
! See the License for the specific language governing permissions and
! limitations under the License.
!-->
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>ctr</ramp:user>
<ramp:encryptionUser>ctr</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.gtnet.rampart.PWCBHandler
</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">build\resources\qa.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123123</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Thanks
Alan
It looks as if the error isn't with the outbound request, but with handling the response.
The response doesn't have a security header and when we're trying to unencrypt it, an exception occurs.
I need to somehow change my Rampart configuration to only do outbound security, not inbound
I'll report back :)
Ok the problem was that once Rampart is engaged, it expects the response to have the same security header.
The way I solved the problem was by removing the handler to the Inflow security in the Rampart.mar file.
I'm not sure if this is the best fix, but it worked for us.
To remove the inflow handler:
Unpack the rampart.mar file
Comment out the Inflow section
Zip up the META_INF folder. Then rename the .zip file to be .mar
Now when you use this as there are no handlers defined for inflow, it will just use the standard Axis2 response handler.
I guess if you had several projects using Rampart where some had the security header in the response and some didn't you would need a different approach.
Another approach is detailed here.
It's probably a better approach :
http://blog.rampartfaq.com/2009/11/how-to-generate-non-secure-response-to.html
Exception:
org.apache.axis2.AxisFault: Missing wsse:Security header in request
at
org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
at
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
at org.apache.axis2.engine.Phase.invoke(Phase.java:318) at
org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251) at
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160) at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
After navigating a lot, and reading the same pages several times, I finally got a solution that satisfied me.
From previous post I Quote: "Ok the problem was that once Rampart is engaged, it expects the response to have the same security header." (as the request)
This is absolutely true!
I feel that the best approach is found in the following link: http://xacmlinfo.org/2012/11/09/disabling-ws-security-for-in-or-out-messages-in-axis2/
However, in my case, I didn't want to make a new module, so I decided to emulate the module in my code. I tried to explain it in three steps.
(First) I used a default policy (take from the previous link), as a method in my code. (It's worked for Axis 1.6.2 and the compatible version of Rampart)
private String getPolicy()
{
return "xml for policy"
}
Important the method must return the following xml as String (better reading)
<wsp:Policy wsu:Id="emptryPolicy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
(Second) I created a Policy (object) based on the previous method.
InputStream stream = new ByteArrayInputStream(getPolicy().getBytes());
Policy p = PolicyEngine.getPolicy(stream);
(Third) I used the properties of KEY_RAMPART_IN_POLICY and KEY_RAMPART_OUT_POLICY.
Stub._getServiceClient().getOptions().setProperty(RampartMessageData.KEY_RAMPART_OUT_POLICY, the security policy of the web service);
Stub._getServiceClient().getOptions().setProperty(RampartMessageData.KEY_RAMPART_IN_POLICY, p);
Important
The security policy of the web service, depends on the security that the web service uses... If your provider supplied the policy in the wsdl, you would not have to struggle with this... but in other cases, you just use the Rampart Policies. In the rampart site, are examples described very clear for each type of security policy. (UsernameToken Authentication, AsymmetricBinding, etc.)
This example fashions a request with security and response without security.
It Works for me!
In my case same problem but i got success response by changing the soap request version name space uri in the stub. i have change the name space uri from "http://www.w3.org/2003/05/soap-envelope" to "http://schemas.xmlsoap.org/soap/envelope/".