Skip to main content

Non-NetBeans documentation for writing wsit.xml

28 replies [Last post]
bjdavis
Offline
Joined: 2007-02-23

I was hoping to implement a simple Username Token profile security system using XWSS 3.0 on my JAX-WS 2.1 fcs web service. Unfortunately, that seems to break MTOM, so I was looking into using WSIT instead. WSIT looks very promising, however I cannot seem to find any references on how to write the wsit.xml policy file that don't involve using NetBeans.

I am hoping to avoid having to use NetBeans, since I really just need a simple Username Token profile that uses callbacks for validating the username and password. I will be running on a Tomcat server, and while it sounds like I could use Realms to automagically handle the validation, I would prefer to do call backs for the time being. Any references that I could find on writing the configuration file would be very helpful!

Thanks!

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
bastefano
Offline
Joined: 2008-01-30

hi,

I have a same problem....I wont take an DigestPasswordRequest but I take owever PlainTextPasswordRequest... i think that now this issue are relised...

venu
Offline
Joined: 2003-10-22

For the Security+MTOM problem can you send us a testcase.

bjdavis
Offline
Joined: 2007-02-23

I will try to put together a test case this week that reproduces the XWSS + MTOM issue. Thanks again.

venu
Offline
Joined: 2003-10-22

before you do that , are you seeing this problem on WSIT or standalone JAXWS+Security

bjdavis
Offline
Joined: 2007-02-23

standalone JAXWS + Security is where the problem is occuring.

venu
Offline
Joined: 2003-10-22

then this is a know issue, you need to use WSIT .

bjdavis
Offline
Joined: 2007-02-23

> then this is a know issue, you need to use WSIT .

Well that would explain the difficulty then. My only hurdle now is that I would like my username token to still look like the one I got from XWSS. For example:



Joe
****
nGwrd0DrskcI4RPeYlXsVnZU
2007-02-28T19:41:48.078Z

I am having a hard time getting my server and client side wsit-*.xml right to generate the PasswordDigest style password element, as well as the Created and Nonce elements. I have successfully set both the client and server to use my XWSS security environment handler to do validation on the server side, and to generate username and password on the client side, but I get a plain text password and no created/nonce elements on my username token. Is it even possible to configure WSIT to generate a username token like with these features?

Thanks again both of you for all your help.

Message was edited by: bjdavis

venu
Offline
Joined: 2003-10-22

The SecurityPolicy spec which WSIT currently supports did not define use of Nonce. But the latest security policy spec does. Although all the code is there in Security to handle this it is not enabled using Security Policy . We will support it for the next release. Is this a blocking issue for you ? . If so let us know.

bjdavis
Offline
Joined: 2007-02-23

I see. This is an issue for the project I am working on, however it is not blocking at this point in time. Is there an estimate as to when the next release will occur (I know that the last release was only a few weeks ago)?

Message was edited by: bjdavis

alexj
Offline
Joined: 2007-03-02

I am trying to enable simple UsernameToken security using WSIT for a JAX-WS webservice in Tomcat. I have the WSIT jars webservices-tools.jar and webservices-rt.jar in addition to the jax-ws jars i already had. With the wsit-client.xml the call works from a simple class. Was trying to test the call from an external client SoapUI. The Authentication works, throws error if Header does not have wsse and if the userid/password is not correct. I am getting this error after that. Using the same example you have posted in this thread.

The Input SOAP





Alice
ecilA





100
200


Server Error :

Using configured PlainTextPasswordValidator................
Alice
ecilA
com.sun.xml.ws.streaming.XMLStreamReaderException: unexpected XML tag. expected: {http://schemas.xmlsoap.org/soap/envelope/}Body but found: {http://schemas.xmlsoap.org/soap/envelope/}Header
at com.sun.xml.ws.streaming.XMLStreamReaderUtil.verifyTag(XMLStreamReaderUtil.java:189)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:472)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:193)
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.verifyInboundMessage(SecurityPipeBase.java:424)

Mar 15, 2007 1:43:04 PM com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit handle
SEVERE: unexpected XML tag. expected: {http://schemas.xmlsoap.org/soap/envelope/}Envelope but found: {http://schemas.xmlsoap.org/soap/envelope/}Body
com.sun.xml.ws.streaming.XMLStreamReaderException: unexpected XML tag. expected: {http://schemas.xmlsoap.org/soap/envelope/}Envelope but found: {http://schemas.xmlsoap.org/soap/envelope/}Body
at com.sun.xml.ws.streaming.XMLStreamReaderUtil.verifyTag(XMLStreamReaderUtil.java:189)
at com.sun.xml.ws.encoding.StreamSOAPCodec.decode(StreamSOAPCodec.java:171)
at com.sun.xml.ws.encoding.StreamSOAPCodec.decode(StreamSOAPCodec.java:148)
at com.sun.xml.ws.message.stream.LazyStreamBasedMessage.cacheMessage(LazyStreamBasedMessage.java:70)

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

Can it be that the JAXWS jars you have are being placed ahead of the webservices*.jar files in your classpath (and the jaxws jars are not compatible with the WSIT jars you have) ?.

Actually you do not need separate JAXWS jars, all you need to do is the following :

1. Take a Clean TOMCAT installation
2. Download latest wsit bits (jax-ws-latest-wsit-installer_nightly.jar) from :
https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5468&e...
3. run :
java -Xmx256m -jar jax-ws-latest-wsit-installer_nightly.jar
4. cd jax-ws-latest-wsit
5. set CATALINA_HOME (environment variable) to point to your TOMCAT install directory
6. Run : ant -f wsit-on-tomcat.xml install
7. Start your TOMCAT

Please try this and let me know if this worked.

Thanks

kumarjayanti
Offline
Joined: 2003-12-10

If the above suggestion did not solve your problem then i would like to ask whether your application has some Handlers and by any chance are you trying to read the Payload in the Handler ?.

alexj
Offline
Joined: 2007-03-02

I tried by installing from the the latest nightly jar. Removed all other jars. Also had 2 Handlers inspecting the Payload. Removed the handlers and still getting the error from the stand alone client. Also how does the Policy look without SSL. Tried over SSL also with getting same error. Authentication works.



http://www.w3.org/2005/08/addressing/anonymous
http://www.w3.org/2005/08/addressing/fault
uuid:814249bc-5396-4f69-a911-b14e44de7152



ns2:Server
unexpected XML tag. expected: {http://schemas.xmlsoap.org/soap/envelope/}Body but found: {http://schemas.xmlsoap.org/soap/envelope/}Header









venu
Offline
Joined: 2003-10-22

thanks for reporting the problem will look into this.

venu
Offline
Joined: 2003-10-22

can you send me the message for which the fault was thrown

alexj
Offline
Joined: 2007-03-02

Did you mean the Input Soap message - here it is. I am using the sample example kumarjayanti had above





Alice
ecilA





100
200


kumarjayanti
Offline
Joined: 2003-12-10

Hi Alex,

I am little suspicious whether the input message you pasted was generated by using WSIT ?.

Specifically the Id of the UsernameToken ( wsu:Id="UsernameToken-27800069" ) tells us that this message was not generated using WSIT Security. Can you please confirm what is your setup.

Are you trying to use WSIT on the Server side and some other vendor implementation on the client side.

Thanks

alexj
Offline
Joined: 2007-03-02

That is correct. My intent is to use WSIT on the server side with java on Tomcat providing the Webservice. My clients are not java, they will be .Net, PHP or Perl etc.... So the assumption I was going with was as long as these clients generate WS-SECURITY conformed SOAP headers it should work.

I have a test client on the Server itself with the wsit-client.xml and also has the same problem. The Authentication works in both cases.

Should I be going with standard XWSS instead of WSIT. I wanted the other support WSIT provides like Policy etc and the future extensions and this was the reason to choose WSIT.

kumarjayanti
Offline
Joined: 2003-12-10

> That is correct. My intent is to use WSIT on the
> server side with java on Tomcat providing the
> Webservice. My clients are not java, they will be
> .Net, PHP or Perl etc.... So the assumption I was
> going with was as long as these clients generate
> WS-SECURITY conformed SOAP headers it should work.
>
Agreed that as long as the messages conform to WS-Security, it should work.

> I have a test client on the Server itself with the
> wsit-client.xml and also has the same problem. The
> Authentication works in both cases.

Can you somehow provide us a reproducable testcase of this scenario. Specifically can you confirm by using something like a tcp monitor (https://tcpmon.dev.java.net) that the incoming Message on the Server actuall has the payload non-empty.

We have several tests where the test client run's as a Servlet/JSP with a wsit-client.xml and we have never encountered this kind of an error. We have such tests working on TOMCAT as well...

If you are interested we can send you a SAMPLE client and Server application WAR File(s) that you can deploy and run on TOMCAT....

>
> Should I be going with standard XWSS instead of WSIT.

NO, not at all, we want you to continue to use WSIT.

Thanks.

alexj
Offline
Joined: 2007-03-02

Sure I will put together the test cases and post soon. Thanks in advance if you can send the sample client and server WAR file for Tomcat. Would really appreciate that.

stondini
Offline
Joined: 2005-01-15

Hi,

I've same problem with the last WSIT Milestone :
https://jax-ws.dev.java.net/files/documents/4202/55930/wsit-1_0-fcs-bin-...

I'm using SOAPUI to send the request :
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:dac="http://test.com">



Alice
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ecilA





hello


The response from Jetty server :



ns2:Server
unexpected XML tag. expected: {http://schemas.xmlsoap.org/soap/envelope/}Body but found: {http://schemas.xmlsoap.org/soap/envelope/}Header


unexpected XML tag. expected: {http://schemas.xmlsoap.org/soap/envelope/}Body but found: {http://schemas.xmlsoap.org/soap/envelope/}Header








...

The authentication works fine throught a com.sun.xml.wss.impl.callback.PasswordValidationCallback validator but the web method echo() is not called !

Do you have investigated ?
Thanks
Stéphane

venu
Offline
Joined: 2003-10-22

Can you send us the setup /testcase you are using.

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

> I was hoping to implement a simple Username Token
> profile security system using XWSS 3.0 on my JAX-WS
> 2.1 fcs web service. Unfortunately, that seems to
> break MTOM,

Can you be more specific here, i am not aware of this issue.

> so I was looking into using WSIT instead.
> WSIT looks very promising, however I cannot seem to
> find any references on how to write the wsit.xml
> policy file that don't involve using NetBeans.

Any specific reason you would want to avoid NetBeans....?

> I am hoping to avoid having to use NetBeans, since I
> really just need a simple Username Token profile that
> uses callbacks for validating the username and
> password.

>I will be running on a Tomcat server, and
> while it sounds like I could use Realms to
> automagically handle the validation, I would prefer
> to do call backs for the time being.

Automatic realm authentication is possible on GlassFish. For Realm Authentication on Tomcat you will need to supply a RealmAuthenticator bundled into the WAR. I can write more about this later since you are only looking at Callbacks right now...

> Any references
> that I could find on writing the configuration file
> would be very helpful!
>

Here are the simple steps for Username Authentication with WSIT, but please note, in this SAMPLE the username/password is protected using SSL. A more complicated case is where you want to Encrypt the Username/Password which is being sent over the WIRE.

Server Side :
------------------
The name of the wsit.xml file should actually be wsit-.xml. Attached is a file named wsit-org.mymc.MC109.xml as a sample.

The most important thing that you need to know apart from the policy in the wsit-*.xml is the following username password validator.



Also attached is the file PlainTextPasswordValidator.java that you can modify to suite your needs.

This finishes the Server Side of things, now on the Client side you will need to write wsit-client.xml which either supplies a username-password as default values or configures a UsernameHandler and a PasswordHandler.

I am pasting a wsit-client.xml which makes use of default username and password values. Note: the wsit-client.xml file should be in your client side classpath, so if the client is a web client you can place inside WEB-INF/classes directory.

(looks like i cannot have more than 2 files as attachment, so i am pasting the file here)

------------------wsit-client.xml------------------------

















-------------------------end of wsit-client.xml-----------------------

The most important thing in wsit-client.xml is the CallbackHandler configuration. I have set the default username and password as Alice and ecila. But incase you want to dynamically supply this information then you would write the above assertion as follows :


Here test.MyUsernameHandler and test.MyPasswordHandler are classes supplied by you and available in the client classpath.

NOTE: configuration of SSL is not automatic, but you would have to follow TOMCAT docs on how to enable SSL for the service. And for the Client (if it is not a web client then you would have to set the corresponding javax.net.ssl.* system properties).

As a first step, you may omit SSL config part and just try to send a Username/Password over the WIRE and once you have that working you can looking into SSL or Encryption of the UsernamePassword.

Let me know if that worked....

If you are looking at running an existing sample then we have WSIT testcases in the WSIT workspace. You will have to checkout the WSIT workspace in order to be able to run it.

https://wsit.dev.java.net/source/browse/wsit/wsit/test/e2e/testcases/xws...

This testcase is developed from WSDL and hence you will see the WSDL having the policies and no wsit-*.xml here.

The corresponding client configuration is located at :

https://wsit.dev.java.net/source/browse/wsit/wsit/test/e2e/testcases/xws...

If you need to run this test just cd to wsit/wsit/test/e2e directory and run "ant"

Incase you want to see the message that is transmitted over the wire you can use set the system property :

com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump" to the value "true" or make use of a tcpmonitor from https://tcpmon.dev.java.net

Thanks

> Thanks!

kumarjayanti
Offline
Joined: 2003-12-10

Just to add, the test.MyUsernameHandler and test.MyPasswordHandler classes should implement the javax.security.auth.callback.CallbackHandler interface and should handle the JAAS NameCallback and PasswordCallback respectively.

Thanks

kumarjayanti
Offline
Joined: 2003-12-10

Just to add, for TOMCAT users if the username/password is specified inside tomcat-users,xml then WSIT would automatically authenticate the user.

Thanks

bjdavis
Offline
Joined: 2007-02-23

Wow, that look's like exactly what I am seeking. Thanks!

The specific issue I am having with MTOM and XWSS is that when I enable XWSS and MTOM at the same time, I get a message that has all the MTOM and XWSS headers/formatting, but the base64 fields are encoded and inlined instead of seperated out into a seperate uuid block and unencoded.

Going to try out the information you provided, as I think it is exactly what I am looking for.

Thanks again!

bjdavis
Offline
Joined: 2007-02-23

Thanks again, this worked very well, and was exactly what I was looking for.

Still not sure why I can't just use XWSS and JAX-WS, but as long as I have a viable solution (which this is) I am happy.

-Brian

kumarjayanti
Offline
Joined: 2003-12-10

> Thanks again, this worked very well, and was exactly
> what I was looking for.
>
> Still not sure why I can't just use XWSS and JAX-WS,
> but as long as I have a viable solution (which this
> is) I am happy.
>

When you enabled MTOM with Standalone XWSS how did you enable MTOM ?.

You have to use either the annotation on the service or the entry in sun-jaxws.xml

Also i was told that the threshold for MTOM is set to 1K and if the binary data is smaller than that then although you would see the MTOM headers you will not actually see the Binary data as Mime Attachment.

Using a Policy Assertion in the WSDL to enable MTOM does not work when you are using Standalone XWSS with JAXWS.

In anycase please send us a reproducible testcase if you think this is a problem we would like to get it fixed.

Thanks.

> -Brian