You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by shadowlaw <ay...@gmail.com> on 2012/10/16 17:38:24 UTC
CXF- WSS4J
Hi,
i'm trying to secure my web service using basic authentification using the
WWS4JInterceptor and callbackHandler
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="authentificationInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordDigest"/>
<entry key="signaturePropFile" value="..."/>
<entry key="passwordCallbackRef">
<bean
class="com.orange.ada.ws.config.interceptor.AuthentificationCallback"/>
</entry>
</map>
</constructor-arg>
</bean>
but when test the code using soap ui i get this exception
java.lang.NoSuchMethodError:
org.apache.ws.security.WSSecurityEngine.getWssConfig()Lorg/apache/ws/security/WSSConfig
i'm using cxf 2.6 and spring 3 and jonas server 4.10.9.
Any idea how can resolve this issue?
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF- WSS4J
Posted by shadowlaw <ay...@gmail.com>.
thanks for the reply guys, I'm gonna use the basic code above and see what
happens, for the version I think its better using the 2.6 than any older one
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716820.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF- WSS4J
Posted by shadowlaw <ay...@gmail.com>.
solved my problem. Actually it was a configuration problem of my soapui
client, you have to choose premptive mode in order for soapui to hash the
credentials.
thanks guys for your help.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716935.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF- WSS4J
Posted by shadowlaw <ay...@gmail.com>.
Here is the request
ID: 1
Address: http://localhost:9000/ada-ws/AdaConfigWs
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml;charset=UTF-8
Headers: {accept-encoding=[gzip,deflate], Authorization=[Basic
tomcat:tomcat], connection=[Keep-Alive], Content-Length=[1071],
content-type=[text/xml;charset=UTF-8], hos
t=[localhost:9000], SOAPAction=["urn:orange.com:ada/ws/config/GetSite"],
user-agent=[Apache-HttpClient/4.1.1 (java 1.5)]}
Payload: <soapenv:Envelope xmlns:oxm="urn:orange.com:ada/ws/config/oxm"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:v1="urn:orange.com:ada/ws/config/M
10/V1">
<soapenv:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss
/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
wsu:Id="UsernameToken-92"><wsse:Username>username</wsse:Username><wsse:Password
Type="http://doc
s.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password><wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/20
04/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">g3lzcFRXE81/DrsEVa4VKw==</wsse:Nonce><wsu:Created>2012-10-17T14:52:04.372Z</wsu:Created></wsse:UsernameToke
n></wsse:Security></soapenv:Header>
<soapenv:Body>
<v1:GetSite>
<v1:request>
<oxm:code_env>GLOB</oxm:code_env>
</v1:request>
</v1:GetSite>
</soapenv:Body>
</soapenv:Envelope>
--------------------------------------
Invalid username or password for user: ¡¿ºnî-óg→
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716839.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF- WSS4J
Posted by Andrei Shakirin <as...@talend.com>.
Could you intercept your HTTP request using TCP monitor and paste it here?
Regards,
Andrei.
-----Original Message-----
From: shadowlaw [mailto:aymen.benhmida@gmail.com]
Sent: Mittwoch, 17. Oktober 2012 14:19
To: users@cxf.apache.org
Subject: RE: CXF- WSS4J
I found an example of code from
http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/
<http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/>
which is working but the problem is that the string encoding of the username is unknown for me
Invalid username or password for user: *¡¿ºnî←«'`*. I used an utility from CXF new String(Base64Utility.decode(policy.getUserName())) but it's not working.
Any idea?
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716825.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF- WSS4J
Posted by shadowlaw <ay...@gmail.com>.
I found an example of code from
http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/
<http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/>
which is working but the problem is that the string encoding of the username
is unknown for me
Invalid username or password for user: *¡¿ºnî←«'`*. I used an utility from
CXF new String(Base64Utility.decode(policy.getUserName())) but it's not
working.
Any idea?
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716825.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF- WSS4J
Posted by Andrei Shakirin <as...@talend.com>.
>What about older version of cxf?
Basically migration on older CXF is alternative, but as far as I can see WSS4J has WSSecurityEngine. getWssConfig() method since version 1.5.4.
So it is necessary to migrate at least to CXF 2.1 that uses WSS4J 1.5.2.
CXF 2.2 already uses WSS4J 1.5.6 that definitely will have the same problem.
Not sure is CXF 2.1 is appropriate solution ...
Regards,
Andrei.
-----Original Message-----
From: jasonmpell@gmail.com [mailto:jasonmpell@gmail.com]
Sent: Mittwoch, 17. Oktober 2012 12:39
To: users@cxf.apache.org
Cc: nizarrazin
Subject: RE: CXF- WSS4J
What about older version of cxf?
On Oct 17, 2012 9:11 PM, "Andrei Shakirin" <as...@talend.com> wrote:
> Do you need HTTP-basic or UsernameToken authentication via SOAP Header?
>
> 1. For HTTP basic authentication you don't need any special
> configuration on the service side, just get your username/password:
> @Resource
> WebServiceContext webServiceContext;
>
> AuthorizationPolicy policy = (AuthorizationPolicy)
> webServiceContext.getMessageContext().get(AuthorizationPolicy.class.getName());
> String username = policy.getUserName();
> String password = policy.getPassword();
>
> 2. For UsernameToken authentication via SOAP Header I see the
> following
> possibilities:
> a) Do not use CXF WSS4J stuff at all and obtain required values from
> SOAP Header manually:
> @Resource
> WebServiceContext webServiceContext;
>
> List<Header> list =
> (List<Header>)webServiceContext.getMessageContext().get("org.apache.cxf.headers.Header.list");
> for (Header key : list) {
> // Get UsernameToken header values here
> System.out.println(key.getName() + " - " + key.getObject());
> }
>
> b) You can try to configure UsernameTokenInterceptor instead
> WSS4InInterceptor. It bypasses the full WSS4J handling and processes
> the header directly.
> UsernameTokenInterceptor is also dependent on WSS4J, but MAY BE it
> works also with older versions.
>
> Regards,
> Andrei.
>
> -----Original Message-----
> From: shadowlaw [mailto:aymen.benhmida@gmail.com]
> Sent: Mittwoch, 17. Oktober 2012 10:03
> To: users@cxf.apache.org
> Subject: Re: CXF- WSS4J
>
> I will ask in the Jonas forum, but the version we are using is pretty
> old so I'm not sure if there is such a option. Is there another way to
> to use the basic authentification without WSS4J in cxf or I have to
> use spring security or other framework?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716800.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
RE: CXF- WSS4J
Posted by ja...@gmail.com.
What about older version of cxf?
On Oct 17, 2012 9:11 PM, "Andrei Shakirin" <as...@talend.com> wrote:
> Do you need HTTP-basic or UsernameToken authentication via SOAP Header?
>
> 1. For HTTP basic authentication you don't need any special configuration
> on the service side, just get your username/password:
> @Resource
> WebServiceContext webServiceContext;
>
> AuthorizationPolicy policy = (AuthorizationPolicy)
> webServiceContext.getMessageContext().get(AuthorizationPolicy.class.getName());
> String username = policy.getUserName();
> String password = policy.getPassword();
>
> 2. For UsernameToken authentication via SOAP Header I see the following
> possibilities:
> a) Do not use CXF WSS4J stuff at all and obtain required values from SOAP
> Header manually:
> @Resource
> WebServiceContext webServiceContext;
>
> List<Header> list =
> (List<Header>)webServiceContext.getMessageContext().get("org.apache.cxf.headers.Header.list");
> for (Header key : list) {
> // Get UsernameToken header values here
> System.out.println(key.getName() + " - " + key.getObject());
> }
>
> b) You can try to configure UsernameTokenInterceptor instead
> WSS4InInterceptor. It bypasses the full WSS4J handling and processes the
> header directly.
> UsernameTokenInterceptor is also dependent on WSS4J, but MAY BE it works
> also with older versions.
>
> Regards,
> Andrei.
>
> -----Original Message-----
> From: shadowlaw [mailto:aymen.benhmida@gmail.com]
> Sent: Mittwoch, 17. Oktober 2012 10:03
> To: users@cxf.apache.org
> Subject: Re: CXF- WSS4J
>
> I will ask in the Jonas forum, but the version we are using is pretty old
> so I'm not sure if there is such a option. Is there another way to to use
> the basic authentification without WSS4J in cxf or I have to use spring
> security or other framework?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716800.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
RE: CXF- WSS4J
Posted by Andrei Shakirin <as...@talend.com>.
Do you need HTTP-basic or UsernameToken authentication via SOAP Header?
1. For HTTP basic authentication you don't need any special configuration on the service side, just get your username/password:
@Resource
WebServiceContext webServiceContext;
AuthorizationPolicy policy = (AuthorizationPolicy) webServiceContext.getMessageContext().get(AuthorizationPolicy.class.getName());
String username = policy.getUserName();
String password = policy.getPassword();
2. For UsernameToken authentication via SOAP Header I see the following possibilities:
a) Do not use CXF WSS4J stuff at all and obtain required values from SOAP Header manually:
@Resource
WebServiceContext webServiceContext;
List<Header> list = (List<Header>)webServiceContext.getMessageContext().get("org.apache.cxf.headers.Header.list");
for (Header key : list) {
// Get UsernameToken header values here
System.out.println(key.getName() + " - " + key.getObject());
}
b) You can try to configure UsernameTokenInterceptor instead WSS4InInterceptor. It bypasses the full WSS4J handling and processes the header directly.
UsernameTokenInterceptor is also dependent on WSS4J, but MAY BE it works also with older versions.
Regards,
Andrei.
-----Original Message-----
From: shadowlaw [mailto:aymen.benhmida@gmail.com]
Sent: Mittwoch, 17. Oktober 2012 10:03
To: users@cxf.apache.org
Subject: Re: CXF- WSS4J
I will ask in the Jonas forum, but the version we are using is pretty old so I'm not sure if there is such a option. Is there another way to to use the basic authentification without WSS4J in cxf or I have to use spring security or other framework?
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716800.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF- WSS4J
Posted by shadowlaw <ay...@gmail.com>.
I will ask in the Jonas forum, but the version we are using is pretty old so
I'm not sure if there is such a option. Is there another way to to use the
basic authentification without WSS4J in cxf or I have to use spring security
or other framework?
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716800.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF- WSS4J
Posted by Daniel Kulp <dk...@apache.org>.
On Oct 16, 2012, at 12:02 PM, shadowlaw <ay...@gmail.com> wrote:
> I guess it's WSS4j versions overlap, but the problem is that in jonas server
> they don't mentions the exact version but since it's a little bit older
> version of jonas.
> i think it is the 1.5 or something, when i tryied to upgrade the version i
> got a hole bunch of other exceptions,
> is there any other way to get ride of the WSS4JInterceptor for basic
> authentication?
You may want to ask on the Jonas lists. Most of the app servers have some way to configure the application to have it use the jars/libs specific to the application instead of stuff pulled from the app server libraries.
Dan
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716756.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com
RE: CXF- WSS4J
Posted by shadowlaw <ay...@gmail.com>.
I guess it's WSS4j versions overlap, but the problem is that in jonas server
they don't mentions the exact version but since it's a little bit older
version of jonas.
i think it is the 1.5 or something, when i tryied to upgrade the version i
got a hole bunch of other exceptions,
is there any other way to get ride of the WSS4JInterceptor for basic
authentication?
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752p5716756.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF- WSS4J
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
Obviously you have other version of wss4j in your application server.
CXF 2.6.X works with wss4j 1.6.5, but it seems that wss4j 1.5.X is loaded in your environment.
Can your verify what is the version of wss4j-xxx.jar is actually deployed?
Regards,
Andrei.
-----Original Message-----
From: shadowlaw [mailto:aymen.benhmida@gmail.com]
Sent: Dienstag, 16. Oktober 2012 17:38
To: users@cxf.apache.org
Subject: CXF- WSS4J
Hi,
i'm trying to secure my web service using basic authentification using the WWS4JInterceptor and callbackHandler
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="authentificationInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordDigest"/>
<entry key="signaturePropFile" value="..."/>
<entry key="passwordCallbackRef">
<bean
class="com.orange.ada.ws.config.interceptor.AuthentificationCallback"/>
</entry>
</map>
</constructor-arg>
</bean>
but when test the code using soap ui i get this exception
java.lang.NoSuchMethodError:
org.apache.ws.security.WSSecurityEngine.getWssConfig()Lorg/apache/ws/security/WSSConfig
i'm using cxf 2.6 and spring 3 and jonas server 4.10.9.
Any idea how can resolve this issue?
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-tp5716752.html
Sent from the cxf-user mailing list archive at Nabble.com.