Skip to main content

Accepting unsecured Server Responses

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
5 replies [Last post]
papus
Offline
Joined: 2006-05-29

Hi! I'm using an asymmetric binding policy to sign the body of a soap request. The Problem is, that the response (wich is not under my controll) doesn't contain any security information. Is there a way I can tell the client to accept an unsecured response? The background is, that I have a wsdl file without a policy, therefore I created a mock-service with netbeans and configured the required policies. When I (successfully) call the webservice, the answer produces an exception "WSSTUBE0025: Error in Verifying Security in the Inbound Message." at com.sun.xml.wss.jaxws.impl.SecurityClientTube processClientResponsePacket. I'd really like to use the actual metro stack. But the only solution I figured out at the moment is to use jax-ws style securityhandler. I would appreciate any hint into the right direction. Thanks, Florian

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
dsosnoski
Offline
Joined: 2003-07-24

Hi Florian,

See my WS-Policy article at
http://www.ibm.com/developerworks/java/library/j-jws18/index.html The
Policy Examples topic gives a couple of examples using one-way
encryption or signing, including one asymmetric binding where only some
messages use signing (Listing 6). The discussion following the listing
covers what I had to do to make it work with Metro, and the download
code has a sample you can try. If you modify this to only use signing
for the request messages you should have what you want for your situation.

- Dennis

Dennis M. Sosnoski
Java SOA and Web Services Consulting
Axis2/CXF/Metro SOA and Web Services Training

Web Services Jump-Start

On 01/21/2011 05:09 AM, fp-papus@gmx.de wrote:
> Hi!
>
> I'm using an asymmetric binding policy to sign the body of a soap
> request. The Problem is, that the response (wich is not under my
> controll) doesn't contain any security information. Is there a way I
> can tell the client to accept an unsecured response?
>
> The background is, that I have a wsdl file without a policy, therefore
> I created a mock-service with netbeans and configured the required
> policies. When I (successfully) call the webservice, the answer
> produces an exception "WSSTUBE0025: Error in Verifying Security in the
> Inbound Message." at com.sun.xml.wss.jaxws.impl.SecurityClientTube
> processClientResponsePacket.
>
> I'd really like to use the actual metro stack. But the only solution I
> figured out at the moment is to use jax-ws style securityhandler.
>
> I would appreciate any hint into the right direction.
> Thanks,
> Florian
>
>

kumarjayanti
Offline
Joined: 2003-12-10

On 20/01/11 9:39 PM, fp-papus@gmx.de wrote:
> Hi!
>
> I'm using an asymmetric binding policy to sign the body of a soap
> request. The Problem is, that the response (wich is not under my
> controll) doesn't contain any security information. Is there a way I
> can tell the client to accept an unsecured response?
>
> The background is, that I have a wsdl file without a policy, therefore
> I created a mock-service with netbeans and configured the required
> policies. When I (successfully) call the webservice, the answer
> produces an exception "WSSTUBE0025: Error in Verifying Security in the
> Inbound Message." at com.sun.xml.wss.jaxws.impl.SecurityClientTube
> processClientResponsePacket.
You can have your client policy to not expect any security in the
response. Just remove the signedparts and encryptedparts for the output
message. Show me the client Policy i can tell you how.

regards,
kumar
> I'd really like to use the actual metro stack. But the only solution I
> figured out at the moment is to use jax-ws style securityhandler.
>
> I would appreciate any hint into the right direction.

> Thanks,
> Florian

373 Guest
Offline
Joined: 2011-01-26

Hi!

Many thanks to Kumar and Dennis. It works, so far ...
The solution (my fault, and what Kumar pointed out) was, that the client still required a timestamp in the soapresponse-header. Fortunately there's an option for that:

regards,
Florian

Here is the policy which works for me:

Am 21.01.2011 um 08:32 schrieb Kumar.Jayanti:

> On 20/01/11 9:39 PM, fp-papus@gmx.de wrote:
>> Hi!
>>
>> I'm using an asymmetric binding policy to sign the body of a soap
>> request. The Problem is, that the response (wich is not under my
>> controll) doesn't contain any security information. Is there a way I
>> can tell the client to accept an unsecured response?
>>
>> The background is, that I have a wsdl file without a policy, therefore
>> I created a mock-service with netbeans and configured the required
>> policies. When I (successfully) call the webservice, the answer
>> produces an exception "WSSTUBE0025: Error in Verifying Security in the
>> Inbound Message." at com.sun.xml.wss.jaxws.impl.SecurityClientTube
>> processClientResponsePacket.
> You can have your client policy to not expect any security in the response. Just remove the signedparts and encryptedparts for the output message. Show me the client Policy i can tell you how.
>
> regards,
> kumar
>> I'd really like to use the actual metro stack. But the only solution I
>> figured out at the moment is to use jax-ws style securityhandler.
>>
>> I would appreciate any hint into the right direction.
>
>> Thanks,
>> Florian
>

papus
Offline
Joined: 2006-05-29

I tried almost everything I found somewhere (including the articles
from Dennis). So here is the last policy-fragment I used:

The Beginning of the Exception says:

21.01.2011 12:16:28 com.sun.xml.wss.jaxws.impl.SecurityClientTube
processClientResponsePacket
SCHWERWIEGEND: WSSTUBE0025: Error in Verifying Security in the Inbound
Message.
com.sun.xml.wss.XWSSecurityException: Security Requirements not met -
No Security header in message
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessa
ge(SecurityRecipient.java:898)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMes
sage(SecurityRecipient.java:230)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(Securi
tyTubeBase.java:462)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePack
et(SecurityClientTube.java:412)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse(SecurityC
lientTube.java:345)
[...]

regards,
Florian

dsosnoski
Offline
Joined: 2003-07-24

Hi Florian,

If you want to have signing only on the input to the operation you need
to take out the

in the .

- Dennis

On 01/22/2011 12:52 AM, fp-papus@gmx.de wrote:
> I tried almost everything I found somewhere (including the articles
> from Dennis). So here is the last policy-fragment I used:
>
>
> transport="http://schemas.xmlsoap.org/soap/http"/>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/I
> ncludeToken/AlwaysToRecipient">
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> The Beginning of the Exception says:
>
> 21.01.2011 12:16:28 com.sun.xml.wss.jaxws.impl.SecurityClientTube
> processClientResponsePacket
> SCHWERWIEGEND: WSSTUBE0025: Error in Verifying Security in the Inbound
> Message.
> com.sun.xml.wss.XWSSecurityException: Security Requirements not met -
> No Security header in message
> at
> com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessa
> ge(SecurityRecipient.java:898)
> at
> com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMes
> sage(SecurityRecipient.java:230)
> at
> com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(Securi
> tyTubeBase.java:462)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePack
> et(SecurityClientTube.java:412)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse(SecurityC
> lientTube.java:345)
> [...]
>
> regards,
> Florian
>
>