You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by capozx <me...@dariocapozzi.it> on 2018/09/14 11:14:26 UTC
Problem authenticating SOAP usernameToken
Hi, i'm a trying to develop a SOAP web service, but i'm having trouble
authenticating the UsernameToken included in every SOAP message header.My
tomEE server version is tomEE plus 7.0.5.According to the documentation,
WS-SecurityPolicy does the necessary work to handle security, after a proper
configuration.I do configuration through Endpoint Property Annotations, in
the following way: @WebService(targetNamespace = "http://tempuri.org/", name
= "MyService")@EndpointProperties(value = { @EndpointProperty(key =
"ws-security.callback-handler", value =
"org.tempuri.ServerPasswordCallback") //@EndpointProperty(key =
"ws-security.validate.token", value = "false") })public interface
MyService {...}The ServerPasswordCallback is:public class
ServerPasswordCallback implements CallbackHandler { public
ServerPasswordCallback() { System.out.println("Instantiating
ServerPasswordCallback"); } public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
System.out.println("Validating on ServerPasswordCallback");
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; if
(pc.getIdentifier().equals("joe")) { // set the password on the
callback. This will be compared to the // password which was sent
from the client. pc.setPassword("password"); } }}The
problem is that i get the following exception:Caused by:
org.apache.wss4j.common.ext.WSSecurityException: The security token could
not be authenticated or authorized at
org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:176)
at
org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:136)
at
org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:94)The
sent message's header is: <?xml version="1.0"?> joe password
ey+3J+OKoHlhfqREn7Q8jw== 2018-09-14T10:59:10.459Z
2018-09-14T10:59:10.459Z 2018-09-14T10:59:15.459Z The strange
thing is that seems that ServerPasswordCallback is never instantiated, and
handle() is never called.If in the Endpoint properties annotations i set
ws-security.validate.token to false, the former Exception is thrown, even if
thisproperty should prevent Token validation.That fact make me think that
annotations are not working, but i can't figure out why.Is this the correct
way of authenticating a UsernameToken?Are the Endpoint properties
annotations correct?
--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Re: Problem authenticating SOAP usernameToken
Posted by capozx <me...@dariocapozzi.it>.
Hi Jon, thanks for your reply. I'm sorry for the poor formatting of my
question.
I created a repository with a Sample Project, the link is
https://github.com/capozx/WSDLTest
Thank you.
Dario
--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Re: Problem authenticating SOAP usernameToken
Posted by Jonathan Gallimore <jo...@gmail.com>.
Its a bit hard to read your email - my guess is it got reformatted
somewhere along the line. Are you able to attach a sample project for us to
dig into?
Thanks
Jon
On Fri, Sep 14, 2018 at 12:14 PM capozx <me...@dariocapozzi.it> wrote:
> Hi, i'm a trying to develop a SOAP web service, but i'm having trouble
> authenticating the UsernameToken included in every SOAP message header.My
> tomEE server version is tomEE plus 7.0.5.According to the documentation,
> WS-SecurityPolicy does the necessary work to handle security, after a
> proper
> configuration.I do configuration through Endpoint Property Annotations, in
> the following way: @WebService(targetNamespace = "http://tempuri.org/",
> name
> = "MyService")@EndpointProperties(value = { @EndpointProperty(key =
> "ws-security.callback-handler", value =
> "org.tempuri.ServerPasswordCallback") //@EndpointProperty(key =
> "ws-security.validate.token", value = "false") })public interface
> MyService {...}The ServerPasswordCallback is:public class
> ServerPasswordCallback implements CallbackHandler { public
> ServerPasswordCallback() { System.out.println("Instantiating
> ServerPasswordCallback"); } public void handle(Callback[] callbacks)
> throws IOException, UnsupportedCallbackException {
> System.out.println("Validating on ServerPasswordCallback");
> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; if
> (pc.getIdentifier().equals("joe")) { // set the password on the
> callback. This will be compared to the // password which was
> sent
> from the client. pc.setPassword("password"); } }}The
> problem is that i get the following exception:Caused by:
> org.apache.wss4j.common.ext.WSSecurityException: The security token could
> not be authenticated or authorized at
>
> org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:176)
> at
>
> org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:136)
> at
>
> org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:94)The
> sent message's header is: <?xml version="1.0"?> joe
> password
> ey+3J+OKoHlhfqREn7Q8jw== 2018-09-14T10:59:10.459Z
> 2018-09-14T10:59:10.459Z 2018-09-14T10:59:15.459Z The strange
> thing is that seems that ServerPasswordCallback is never instantiated, and
> handle() is never called.If in the Endpoint properties annotations i set
> ws-security.validate.token to false, the former Exception is thrown, even
> if
> thisproperty should prevent Token validation.That fact make me think that
> annotations are not working, but i can't figure out why.Is this the correct
> way of authenticating a UsernameToken?Are the Endpoint properties
> annotations correct?
>
>
>
> --
> Sent from:
> http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html