Skip to main content

Can't secure JAVA SE 6 WebService - code based on example doesn't work

70 replies [Last post]
swpalmer
Offline
Joined: 2003-06-10
Points: 0

I am trying to implement some form of security in my WebService using a Java 6 endpoint in my standard Swing application.

After several failed attempts at trying to get WSIT to function, I've bailed on it and am now trying the solution outlined here:
https://xwss.dev.java.net/Securing_JAVASE6_WebServices.html

It doesn't work.

My implementation of SecurityEnvironmentHandler is first called with a SignatureKeyCallback from which I throw the UnsupportedCallbackException and after that there are no other callbacks on the server, particularly the expected PasswordValidationCallback.

So clients can freely call all the methods in my Web Service without requiring any username or password.

I have no idea why this is happening. Help please!

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
smjain1
Offline
Joined: 2007-10-04
Points: 0

Hi Jayanti,
I think its better to use a programmatic approach to print the SOAP message. I dumped it by redirecting System.out to a file.

Regards
Shashank

smjain1
Offline
Joined: 2007-10-04
Points: 0

Hi Jayanti,
I was able to configure Stanadlone Tomcat with WSIT on JBoss. Not a typo this time.
These are the steps to be followed

1. First create the application for a standalone Tomcat with version higher then 5.5.16
2. Right click on the project and add the JAXWS 2.1 libraries to the build path
3. Build the application
4. Go to nbproject(under Files tab) dir under the project
a. Open file build-impl.xml
b. Look for target ‘library-inclusion-in-archive ‘.
c. Comment out all the jax-ws libraries
d. Build the project
5. Right click on the project folder and change the runtime to JBoss4.2
6. Right click the WS and enable WSIT settings(like MTOM,WS-Security etc)
7. Deploy the application to JBoss(This will deploy it to embedded Tomcat)

I am facing problem with authentication against a tomcat-users.xml files as it is non exisstent on the embedded tomcat.
I have used
-Dcatalina.home=C:\dumps\apache-tomcat-5.5.25\apache-tomcat-5.5.25
to set the catalina.home system property but still i get an error which says that tomcat-users.xml is non existent. Though this is pointing to a standalone tomcat installation which has the file under the proper directory
Regards
Shashank

Regards
Shashank

smjain1
Offline
Joined: 2007-10-04
Points: 0

Hi Jayanti,
I changed the wsit client config file to this







































and it workss..
Thx a lot..
I need to actually run this app on Jboss so will need your help with regards to Metro integration on JBoss.

smjain1
Offline
Joined: 2007-10-04
Points: 0

the error i get from JSP and standalone is

SEVERE: WSSPIPE0016: TrustStore URL was obtained as NULL from ConfigAssertion.
Oct 9, 2007 11:19:38 AM com.sun.xml.wss.jaxws.impl.SecurityClientPipe
SEVERE: WSSPIPE0023: Error in creating new instance of SecurityClientPipe
java.lang.RuntimeException: WSSPIPE0016: TrustStore URL was obtained as NULL from ConfigAssertion.
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.populateTruststoreProps(SecurityPipeBase.java:1266)
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.populateConfigProperties(SecurityPipeBase.java:1204)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.configureClientHandler(SecurityClientPipe.java:427)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.(SecurityClientPipe.java:119)
at com.sun.xml.ws.assembler.PipelineAssemblerFactoryImpl$WsitPipelineAssembler.createClient(PipelineAssemblerFactoryImpl.java:219)
at com.sun.xml.ws.api.pipe.TubelineAssemblerFactory$TubelineAssemblerAdapter.createClient(TubelineAssemblerFactory.java:136)
at com.sun.xml.ws.client.WSServiceDelegate.createPipeline(WSServiceDelegate.java:411)
at com.sun.xml.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(WSServiceDelegate.java:572)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:320)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:302)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:295)
at javax.xml.ws.Service.getPort(Service.java:92)
at com.hp.ws.gateway.client.HPOSGatewayService.getHPOSGatewayPort(HPOSGatewayService.java:56)
at com.hp.client.TestClient.main(TestClient.java:22)

smjain1
Offline
Joined: 2007-10-04
Points: 0

Hi Jayanti,
I configured my standalone JBoss to work with WSIT enablement. Looks very good
I had 2 questions
1. How to I secure SOAP attachments here
2. How do I see the log of encrypted messages.
In glass fish u adviced the use of
Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true
What to do in Tomcat

Regards
Shashank

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

> Hi Jayanti,
> I configured my standalone JBoss to work with WSIT
> enablement. Looks very good

Good to know, for the benefit of others you may want to post a short writeup on a different Thread or just email to users@metro.dev.java.net.

> I had 2 questions
> 1. How to I secure SOAP attachments here
The current version of WS-SecurityPolicy spec draft that we support does not have a way to specify securing Attachments. The WS-SecurityPolicy final version (which was approved 2 months ago does have support for specifying secure attachments). We are in the process of upgrading to the latest spec version.

In the meantime if you can explore the use of MTOM (and if necessary restructure your WebService to make use of MTOM) if you have some binary data in your Message Payload.

https://jax-ws.dev.java.net/guide/Binary_Attachments.html

> 2. How do I see the log of encrypted messages.
> In glass fish u adviced the use of
> Dcom.sun.xml.ws.transport.http.client.HttpTransportPip
> e.dump=true
> What to do in Tomcat
You have to set the same property in CATALINA_OPTS

If securing attachments is a pressing requirement we would like to understand your usecase and we do support securing attachments but in our PRE-METRO offering i.e XWSS 2.0 Style security (which does not use WS-SecurityPolicy).

regards.

smjain1
Offline
Joined: 2007-10-04
Points: 0

Sorry,
It was a typo. It worked for standalone Tomcat not JBoss..But i will be figuring that out as well. Once done will give a writeup.
I set the CATALINA_OPTS parameter to the required value.
Also in Netbeans i tried setting the jvm options. Restsrated Tomcat..
Still dont see the SOAP mesaage in the log.
Tomcat version 5.5
Yes SOAP attachments security is a requirement. But we can wait. How much time it will take approx to have it incorporated in WSIT.
Regards
Shashank

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

You will have to experiment and see, the property is not specific to GF, it should work on any container as long as it is set. Find out how to set JVM Args for Tomcat Server.

I cannot give a date but Attachment support would be somewhere between early next year to JavaOne 2008.

smjain1
Offline
Joined: 2007-10-04
Points: 0

Thx Jayanti,
I set the JVM options for tomcat. Still in log its not showing. I know its generic to a web container. Has it something to do with webservices-rt.jar which has this particular class.
webservices-rt.jar right now is in shared/lib dir of tomcat..
Regards
Shashank

smjain1
Offline
Joined: 2007-10-04
Points: 0

Sorry. I saw the messages through handlers. I guess security headers are stripped before they reach the protocol handlers .
I added the following lines in domain.xml
-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true
-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true

And i got the encrypted message in the log file..

Still calling from the standalone client and JSP is not working..Pls share some thoughts on it.
Regards
Shashank

smjain1
Offline
Joined: 2007-10-04
Points: 0

Another fresh installation gave this error
WSS1413: Error extracting certificate
com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias 'xws-security-server'
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.getCertificate(WSITProviderSecurityEnvironment.java:1253)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:301)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:263)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:186)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:147)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureOutboundMessage(WSITClientAuthContext.java:387)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:252)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:218)
at com.sun.enterprise.webservice.ClientSecurityPipe.process(ClientSecurityPipe.java:142)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:134)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:244)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:224)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:117)
at $Proxy83.add(Unknown Source)
at org.me.calculator.client.ClientServlet.processRequest(ClientServlet.java:70)
at org.me.calculator.client.ClientServlet.doGet(ClientServlet.java:91)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:317)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:361)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
WSS1414: Error extracting symmetric key com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias 'xws-security-server'
WSITPVD0029: Error in Securing Outbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias 'xws-security-server'
at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:318)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureOutboundMessage(WSITClientAuthContext.java:390)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:252)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:218)
at com.sun.enterprise.webservice.ClientSecurityPipe.process(ClientSecurityPipe.java:142)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:134)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:244)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:224)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:117)
at $Proxy83.add(Unknown Source)
at org.me.calculator.client.ClientServlet.processRequest(ClientServlet.java:70)
at org.me.calculator.client.ClientServlet.doGet(ClientServlet.java:91)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:317)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:361)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias 'xws-security-server'
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:329)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:263)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:186)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:147)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureOutboundMessage(WSITClientAuthContext.java:387)
... 50 more
Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias 'xws-security-server'
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:308)
... 55 more
Caused by: com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias 'xws-security-server'
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.getCertificate(WSITProviderSecurityEnvironment.java:1253)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:301)
... 55 more
SEC2004: Container-auth: wss: Error securing request
javax.xml.ws.WebServiceException: WSITPVD0029: Error in Securing Outbound Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureOutboundMessage(WSITClientAuthContext.java:396)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:252)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:218)
at com.sun.enterprise.webservice.ClientSecurityPipe.process(ClientSecurityPipe.java:142)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:134)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:244)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:224)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:117)
at $Proxy83.add(Unknown Source)
at org.me.calculator.client.ClientServlet.processRequest(ClientServlet.java:70)
at org.me.calculator.client.ClientServlet.doGet(ClientServlet.java:91)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:317)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:361)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: javax.xml.ws.soap.SOAPFaultException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias 'xws-security-server'
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1389)
... 51 more
StandardWrapperValve[ClientServlet]: PWC1406: Servlet.service() for servlet ClientServlet threw exception
javax.xml.ws.WebServiceException: Cannot secure request for {http://calculator.me.org/}CalculatorWSPort
at com.sun.enterprise.webservice.ClientSecurityPipe.process(ClientSecurityPipe.java:149)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:134)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:244)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:224)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:117)
at $Proxy83.add(Unknown Source)
at org.me.calculator.client.ClientServlet.processRequest(ClientServlet.java:70)
at org.me.calculator.client.ClientServlet.doGet(ClientServlet.java:91)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:317)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:361)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: javax.xml.ws.WebServiceException: WSITPVD0029: Error in Securing Outbound Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureOutboundMessage(WSITClientAuthContext.java:396)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:252)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:218)
at com.sun.enterprise.webservice.ClientSecurityPipe.process(ClientSecurityPipe.java:142)
... 47 more
Caused by: javax.xml.ws.soap.SOAPFaultException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias 'xws-security-server'
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1389)
... 51 more

I dont find this alias in the keystore. I used the glassfish which comes with netbeans.

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Hi,

It would have been very nice if you used a different thread to post your question. We have now confused two different problems in one thread.

Anyway, the errors you are getting now are much better. It is only a WSIT configuration issue now.

Which Netbeans version are you using.
Can you run the following command

keytool -list -keystore /domains/domain1/config/cacerts.jks -storepass

and make sure you find xws-security-server certificate in it.

If it is not present then it means you will have to execute the following script :

https://xwss.dev.java.net/files/documents/4864/54020/copyv3.zip
(follow the README in it, all you have to do is set AS_HOME environment variable to point to your GlassFish installation and then run ant)

restart your appserver and re-run your app, see if it works. If it still does not work then attach the file which is imported by wsit-client.xml (wsit-client.xml is located in build/WEB-INF/META-INF of your client project).

smjain1
Offline
Joined: 2007-10-04
Points: 0

Thx Jayanati,
Sorry for mixing the two forums..
I tried using s1as as alias and the sample worked.
Now when I try to create my application similar to calculator setup. I get the following error. The sample works fine with the setup why not this program.
Also I get the same error when i create a seperate client project for the existing Secure Calculator Service..Pls guide

SEVERE: WSSPIPE0016: TrustStore URL was obtained as NULL from ConfigAssertion.
Oct 9, 2007 11:19:38 AM com.sun.xml.wss.jaxws.impl.SecurityClientPipe
SEVERE: WSSPIPE0023: Error in creating new instance of SecurityClientPipe
java.lang.RuntimeException: WSSPIPE0016: TrustStore URL was obtained as NULL from ConfigAssertion.
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.populateTruststoreProps(SecurityPipeBase.java:1266)
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.populateConfigProperties(SecurityPipeBase.java:1204)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.configureClientHandler(SecurityClientPipe.java:427)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.(SecurityClientPipe.java:119)
at com.sun.xml.ws.assembler.PipelineAssemblerFactoryImpl$WsitPipelineAssembler.createClient(PipelineAssemblerFactoryImpl.java:219)
at com.sun.xml.ws.api.pipe.TubelineAssemblerFactory$TubelineAssemblerAdapter.createClient(TubelineAssemblerFactory.java:136)
at com.sun.xml.ws.client.WSServiceDelegate.createPipeline(WSServiceDelegate.java:411)
at com.sun.xml.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(WSServiceDelegate.java:572)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:320)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:302)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:295)
at javax.xml.ws.Service.getPort(Service.java:92)
at com.hp.ws.gateway.client.HPOSGatewayService.getHPOSGatewayPort(HPOSGatewayService.java:56)
at com.hp.client.TestClient.main(TestClient.java:22)

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Hi,

Is your client a JSP ?. There is an issue which makes the JSP client behave as a Non-109 App (this will be fixed in NetBeans in future...). So in this case it does not use the Containers keystore/truststore by default.

So what you have to do is specify the Keystore and truststore URL and password and the alias to be used inside the netbeans Edit-WebServices-Attributes boxes on the client side.

Thanks.

smjain1
Offline
Joined: 2007-10-04
Points: 0

I tried with JSP as well as with the standalone client. Both dont work.
I already configured the username and password on the edit attributes box.
When i write a servlet to call the web service endpoint
The code is below

public class ClientServlet extends HttpServlet {
@WebServiceRef(wsdlLocation = "http://localhost:8080/TestSecurityService/HPOSGatewayService?wsdl")
private HPOSGatewayService service;

/**
* Processes requests for both HTTP GET and POST methods.
* @param request servlet request
* @param response servlet response
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
try {

/*out.println("");
out.println("");
out.println("Servlet ClientServlet");
out.println("");
out.println("");
out.println("

Servlet ClientServlet at " + request.getContextPath () + "

");
out.println("");
out.println("");*/

try { // Call Web Service Operation
com.hp.client.HPOSGateway port = service.getHPOSGatewayPort();
// TODO initialize WS operation arguments here
java.lang.String name = "Shashank";
// TODO process result here
java.lang.String result = port.getName(name);
out.println("Result = "+result);
} catch (Exception ex) {
out.println(ex.getMessage());
// TODO handle custom exceptions here
}

} finally {
out.close();
}
}

This works..But for me my client is a standalone client which talks to the WS.
Also when i see the soap message using a SOAP handler I dont see any encryption for the body part though this is configured at the endpoint

http://localhost:8080/TestSecurityService/HPOSGatewayServicehttp://gateway.ws.hp.com/HPOSGateway/getNameRequest

http://www.w3.org/2005/08/addressing/anonymous

uuid:4503f154-6819-4356-9407-15f9ceb40e94Shashank

Pls guide
Shashank

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Yes for both JSP and Standalone Java Client's you will have to explicitly specify the keystore URL, password, and alias.

And if you have put a Server Side SOAPHandler then you cannot see the encrypted body because by the time the message reaches the handler it has been decrypted. If you want to see the Encrypted body add the following line in your GF domain.xml under JVM options :

-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true

this will work for a Servlet or JSP client and will dump the request and response.

smjain1
Offline
Joined: 2007-10-04
Points: 0

When you say explicit. Does that mean in code.Since already I have mentioned all this in the attributes page of the WS client,do I need to set it in code.
If so can you tell me the steps
Regards
Shashank

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

So what is the error you are getting now.

send me your client config.

smjain1
Offline
Joined: 2007-10-04
Points: 0

This is the client config







































The same client config works for the servlet but not for standalone clients

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

So you see this :

The location attribute is not specified. Not sure if NetBeans is not generating it or you have not specified it. Please manually add it. It should look like :

smjain1
Offline
Joined: 2007-10-04
Points: 0

Hi Jayanti,
I have one more question here.
Right now we set these credentials into the configuration file..
Going forward how do we pass these credentials into the configuration file either through a web ui or some programmatic manner
Regards
Shashank

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

If you want to do it programmatically the option is there. You will have to supply something called as XWSSCallbackHandler (it's a bit cumbersome). For GlassFish you will just need to supply a JSR 196 CallbackHandler which requires fewer callbacks to be handled.

Otherwise if you are worried about keystore passwords or user-passwords being present in Config file then you can always supply a small CallbackHandler inplace of Password.

For username/password you can also set it programmatically in the client code by setting BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY

smjain1
Offline
Joined: 2007-10-04
Points: 0

Thx a ton Jayanti,
your help is highly appreciated.
Pls let me know how can I integrate Metro with JBossWS. I dont see the release of JBoss WS2.1 which is supposed to provide the integration. Any other way of doing it...
Rgds
Shashank

swpalmer
Offline
Joined: 2003-06-10
Points: 0

> Hi,
>
> The fact that you had to change your
> CallbackHandler indicates to me that you are using
> XWSS 2.0 style security for the client and NOT WSIT
> style security.

Just to make sure we are talking about the same thing.. it was the server-side callback handler that needed tweaking. The client side is still using the generic callbacks as provided by the wizard in the xml config file.
I mentioned the wsit-client.xml file and the policy stuff that is referenced by it about 7 or 8 posts back.

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Hi,

1. So do you have something like a wsit-*.xml file on the server side describing the Policy in the WSDL ?.

2. Do you have a server-security-config.xml file which configures the server side callbackhandler ?.

It appears you have 2 on the server side and not 1.

Can you send me a cleaned zip of your server so i can take a look and see. You should not have to define a server-security-config.xml with a CallbackHandler for the server side. It should work similar to how the client side works using the Default Generic CallbackHandler.

Thanks.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

I do have #1 and NOT #2.

The callback handler is configured in the wsit-* file like so:
[code]
...



... all sorts of policy stuff here ...







...
[/code]

In the callback handler I needed this, in addition to all the other basic stuff like password validation:
[code]
if (cb.getRequest() instanceof DecryptionKeyCallback.X509IssuerSerialBasedRequest)
{
DecryptionKeyCallback.X509IssuerSerialBasedRequest request = (DecryptionKeyCallback.X509IssuerSerialBasedRequest) cb.getRequest();
// I only have one private key
PrivateKey privKey = getPrivateKey();
request.setPrivateKey(privKey);
}
[/code]

Isolating the server into something you can compile and run would take significant time and effort, and I would need to get permission.

Basically I have:
[code]
@WebService(name="Thing", serviceName="ThingService")
public class MyServerClass implements X, Y{
@Resource WebServiceContext context;
... various methods annotated with @WebMethod
}

public class MyMainClass {
public void main(String [] args) {
....
String publishPoint = prefs.get("wsPublishPoint", "http://"+webHost+":43778/Thing");
Endpoint webService = Endpoint.publish(publishPoint, new MyServerClass());
...
}
}
[/code]

Here is the complete contents of my wsit-* config file on the server side:
[code]

xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
name="StreamService"
targetNamespace="http://klamathserver.digitalrapids.ca/"
xmlns:tns="http://klamathserver.digitalrapids.ca/"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
>









































































































































[/code]

I know this wsit-* file is picked up because I see messages in the console to that effect when I create the endpoint.

Btw...How would the server-side default callback handler do password validation?

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

>
> The callback handler is configured in the wsit-* file
> like so:
> [code]
> ...
>
>
>
> sorts of policy stuff here ...
> > wspp:visibility="private">
> > name="xwssCallbackHandler"
> classname="my.package.SecurityEnvironmentHandler"/>
> > default="ThisDoesNotMatter"
> name="usernameHandler"/>
>
> sp:All>

OK got it. If you had not configured the xwssCallbackHandler then everything gets handled by the Default CallbackHandler, especially the encryption and decryption stuff. The only thing you will need to do in that case is to configure the Keystore and Truststore assertions in this file.

And to handle Username/Password validations you would need a UsernameValidator configured under a ValidatorConfiguration element. If you are runnin in a Container ( GlassFish) then username/password is validated with the configured Realms and not ValidatorConfiguration is necessary.

>
> Btw...How would the server-side default callback
> handler do password validation?

By specifying a Validator as explained above.

BTW your usage does not cause any performance degradation.

Thanks.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

> >
> > The callback handler is configured in the wsit-*
> file
> > like so:
> > [code]
> > ...
> >
> >
> >
> > sorts of policy stuff here ...
> > > > wspp:visibility="private">
> > > > name="xwssCallbackHandler"
> >
> classname="my.package.SecurityEnvironmentHandler"/>
> > default="ThisDoesNotMatter"
> name="usernameHandler"/>
>
> got it. If you had not configured the
> xwssCallbackHandler then everything gets handled by
> the Default CallbackHandler, especially the
> encryption and decryption stuff. The only thing you
> will need to do in that case is to configure the
> Keystore and Truststore assertions in this file.

Keep in mind that I only added the line for xwssCallbackHandler *after* I saw that the Default callback handler did not handle the DecryptionKeyCallback.X509IssuerSerialBasedRequest for me.

Perhaps the fact that I didn't have a element was the cause?

Thanks

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

>
> Keep in mind that I only added the line for
> xwssCallbackHandler *after* I saw that the Default
> callback handler did not handle the
> DecryptionKeyCallback.X509IssuerSerialBasedRequest
> for me.
>
> Perhaps the fact that I didn't have a
> element was the cause?

Could be...

Thanks.

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

The Prodcution build which has this fix will come in November timeframe.
https://wsit-docs.dev.java.net/index.html

The Promoted nightlies (tested) will come sooner than that.
https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5647&e...

Please check those links regularly and pickup the build when available.

smjain1
Offline
Joined: 2007-10-04
Points: 0

Hi,
I am facing a lot of problem when securing a simple web service using WSIT.
The setup uses NetBeans 5.5.1 and glassfish app server.
I get the following error when running the jva client
avax.xml.ws.soap.SOAPFaultException: Cannot validate request
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:187)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:254)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:224)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:117)
at $Proxy38.getName(Unknown Source)
at com.hp.testnewws.client.standalone.TestNewClient.main(TestNewClient.java:28)
Caused by: javax.xml.ws.WebServiceException: Cannot validate request
at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:175)
at com.sun.enterprise.webservice.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:129)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
at com.sun.enterprise.webservice.JAXWSServlet.doPost(JAXWSServlet.java:159)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:290)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Cannot validate request
Caused by: com.sun.enterprise.security.jauth.AuthException: com.sun.xml.wss.impl.PolicyViolationException: Expected Signature Element as per receiver requirements, found ReferenceList
at com.sun.xml.wss.provider.ServerSecurityAuthModule.validateRequest(ServerSecurityAuthModule.java:110)
at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:168)
... 39 more
BUILD SUCCESSFUL (total time: 3 seconds)

The server log shows the following

com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.PolicyViolationException: Expected Signature Element as per receiver requirements, found ReferenceList
at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:857)
at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:810)
at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:256)
at com.sun.xml.wss.provider.ServerSecurityAuthModule.validateRequest(ServerSecurityAuthModule.java:102)
at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:168)
at com.sun.enterprise.webservice.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:129)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
at com.sun.enterprise.webservice.JAXWSServlet.doPost(JAXWSServlet.java:159)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:290)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: com.sun.xml.wss.impl.PolicyViolationException: Expected Signature Element as per receiver requirements, found ReferenceList
at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:749)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:457)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:263)
at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:848)
... 44 more
SEC2002: Container-auth: wss: Error validating request
com.sun.enterprise.security.jauth.AuthException: com.sun.xml.wss.impl.PolicyViolationException: Expected Signature Element as per receiver requirements, found ReferenceList
at com.sun.xml.wss.provider.ServerSecurityAuthModule.validateRequest(ServerSecurityAuthModule.java:110)
at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:168)
at com.sun.enterprise.webservice.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:129)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
at com.sun.enterprise.webservice.JAXWSServlet.doPost(JAXWSServlet.java:159)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:290)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)

I am attaching the WSDL file along with the other server and client configuration files..Pls help

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Hi smjain,

Would you please post your question on a different thread so as not to confuse the readers of this thread.

You seem to have run into a very strange Configuration wherein the Server is making use a PRE-WSIT GF Security Provider and not WSIT. Although you have a wsit configuration file for the server that is not the one being used.

Please follow the article in this link :

http://www.netbeans.org/kb/60/websvc/wsit.html

Thanks.

smjain1
Offline
Joined: 2007-10-04
Points: 0

Hi Jayanti,
Thx for the inputs.I read the article ..tried the tutorial but its still not working. Why its not picking the WSIT files.
Regards
Shashank

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Hi,

Not sure where you are getting stuck. Can you try and follow the article and do everything from the begining using a fresh glassfish installation.

Also make sure in your GF install (domain.xml) the following is commented.

message-security-config

Just comment out the entire element because somehow in your case the providers defined under this element are getting used while what you intend to use is WSIT security.

I am not sure what steps you do in NetBeans so i am asking you to manually comment the element and then strictly follow the steps in the article.

Thanks.

smjain1
Offline
Joined: 2007-10-04
Points: 0

Hi Jayanti,
I installed everything fresh now..
I get this error when i run the secure calculator example..

WSS1913: Key used to decrypt EncryptedKey cannot be null
WSS1927: Error occured while decrypting EncryptedKey
WSS1816: Error occurred while resolving Direct Reference
StandardWrapperValve[ClientServlet]: PWC1406: Servlet.service() for servlet ClientServlet threw exception
javax.xml.ws.soap.SOAPFaultException: WSS1816: Error occurred while resolving Direct Reference
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:187)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:254)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:224)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:117)
at $Proxy81.add(Unknown Source)
at org.me.calculator.client.ClientServlet.processRequest(ClientServlet.java:70)
at org.me.calculator.client.ClientServlet.doGet(ClientServlet.java:91)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:317)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: com.sun.xml.wss.XWSSecurityException: WSS1816: Error occurred while resolving Direct Reference
at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processDirectReference(SecurityTokenProcessor.java:244)
at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.resolveReference(SecurityTokenProcessor.java:130)
at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processKeyInfo(KeyInfoProcessor.java:132)
at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(KeyInfoProcessor.java:118)
at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.process(EncryptedData.java:145)
at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.(EncryptedData.java:103)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:362)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:264)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:219)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:471)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:297)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:211)
at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:168)
at com.sun.enterprise.webservice.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:129)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
at com.sun.enterprise.webservice.JAXWSServlet.doPost(JAXWSServlet.java:159)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:317)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:361)
... 2 more
Caused by: javax.xml.crypto.KeySelectorException: com.sun.xml.wss.XWSSecurityException: WSS1927: Error occured while decrypting EncryptedKey
at com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveDirectReference(KeySelectorImpl.java:563)
at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processDirectReference(SecurityTokenProcessor.java:241)
... 57 more
Caused by: com.sun.xml.wss.XWSSecurityException: WSS1927: Error occured while decrypting EncryptedKey
at com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.getKey(EncryptedKey.java:343)
at com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveDirectReference(KeySelectorImpl.java:450)
... 58 more
Caused by: java.io.IOException: Key used to decrypt EncryptedKey cannot be null
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.decryptKey(CryptoProcessor.java:276)
at com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.getKey(EncryptedKey.java:340)
... 59 more
Pls advice

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

> Yes, the sayHello input and output is not encrypted
> and has no username/password requirement, but there
> is a bunch of security related headers with
> EncryptionMethod, CipherData, CipherValue,
> EncryptedKey etc... all of which appear to me to be
> unnecessary for a unsecure method with plaintext
> input/output.

The EncryptedData header represents an Encrypted Username/Password Token. Like i said before, you either need to send an Encrypted Username/Password or use SSL and send a Plain-Text username/password. This one is doing the former. The EncryptedKey contains a Random Secret Encrypted for the Server so that only the server can decrypt and get the Secret and use the secret to Decrypt the Encrypted Username/Password.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

> > Yes, the sayHello input and output is not
> encrypted
> > and has no username/password requirement, but
> there
> > is a bunch of security related headers with
> > EncryptionMethod, CipherData, CipherValue,
> > EncryptedKey etc... all of which appear to me to
> be
> > unnecessary for a unsecure method with plaintext
> > input/output.
>
> The EncryptedData header represents an Encrypted
> Username/Password Token. Like i said before, you
> either need to send an Encrypted Username/Password or
> use SSL and send a Plain-Text username/password.
> This one is doing the former. The EncryptedKey
> contains a Random Secret Encrypted for the Server so
> that only the server can decrypt and get the Secret
> and use the secret to Decrypt the Encrypted
> Username/Password.

I think you missed my point. These encryption headers were still sent and required by the *non-secure* "sayHello". I understand that they would be required when the username/password was needed, but sayHello didn't need a username/password yet still required encryption related headers that appeared to be unused. Until I removed the UsesAddressing requirement.

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

> These magic XML files seem to do a lot. Your
> example uses XWSS 2.0 security, but it appears that
> WSIT security can be used just by changing the
> configuration file to one with the
> wsit-packageName.serviceName.xml naming convention
> and tweaking the contents.

That is true. Let me give a try of WSIT Security with JDK 6 Endpoints next week and then i will get back to you.

If you wish to use WSIT Security with Normal JAXWS Endpoints (Not the JDK 6 Endpoint) then we have a lot of tutorials and screencasts that can help you.

https://metro.dev.java.net/discover/screencasts.html

>
> I'm still confused over what technology I actually
> end up using. jaxws* jars seem to be replaced with
> webservice* jars and I haven't seen a reference to
> that name change anywhere. I think that the
> webservice stuff is only augmenting the jaxws stuff,
> not replacing it entirely... but I don't seem to need
> jaxws-rt.jar anymore.

webservices-rt.jar is the entire Metro/WSIT WebServices Stack Runtime from Sun. It includes JAXWS as part of it.

> I'm going to try to get WSIT security working, but I
> don't know the XML structure very well.

For this it is best to try and use NetBeans WSIT Plugin and generate a WebService and then later on try and use the generated XML with a JDK6 Endpoint somehow.

Thanks.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

I'm not sure, but I think the plaintext password that I have working is a little more complicated.. the header contains an element for "Nonce" that I'm not sure about. I didn't think it would be there for plain text. Maybe that is also related to why it is still making the callback to get a private key.

Anyway...

I have a WSIT config file doing something with my Java 6 EndPoint.
When I try to access the service with a simple generic client I get an error response about not having the appropriate security headers. It also seems to be accessing the keystore I specified based on the errors I was getting until I configured the keystore location and password properly. So I *think* it is working.

My problem is simply that I don't know what I'm doing with the wsit config XML at this point. I pulled the sample from the secure calculator example and made some minor tweaks, like adding some of my messages and operations. I see that NB 6.0 recognizes the config file as a special file and has some wizards that help with that .

I'm using the DefaultCallbackHandler, which may be good enough. It looks like I can inject my own usernameValidator via a property.

My ultimate goal is to make a few of the operations require no security while the rest are secure.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

How do you specify a security policy that says no security is needed?

I tried an empty policy like this:
[code]





[/code]

but that gave me this exception:

javax.xml.ws.soap.SOAPFaultException: SP0105: Either SymmetricBinding/AsymmetricBinding/TransportBinding assertion must be present in the wsdl.

I wish I knew what I was doing, but this stuff isn't developer-friendly..

I tried:
[code]











[/code]

but then I get this expection:

java.lang.NullPointerException
at com.sun.xml.ws.security.impl.policyconv.BindingProcessor.addPrimaryTargets(BindingProcessor.java:185)
at com.sun.xml.ws.security.impl.policyconv.SymmetricBindingProcessor.process(SymmetricBindingProcessor.java:144)
...

I tried stuff with an optional empty policy:

[code]




assume something valid here





[/code]

Which I thought was allowed according to the only references I can find at W3C:
http://www.w3.org/TR/2007/REC-ws-policy-20070904/

But that was rejected:
18-Sep-2007 4:22:44 PM [com.sun.xml.ws.policy.util.PolicyMapUtil] initPolicyMap
SEVERE: WSP0035: Policy "SimplePortBindingPolicy" contains more than one policy alternative. Please reconfigure the service with only one policy alternative.
javax.xml.ws.WebServiceException: com.sun.xml.ws.policy.PolicyException: WSP0035: Policy "StreamSimplePortBindingPolicy" contains more than one policy alternative. Please reconfigure the service with only one policy alternative.
at com.sun.xml.ws.assembler.PipelineAssemblerFactoryImpl$WsitPipelineAssembler.initPolicyMap(PipelineAssemblerFactoryImpl.java:682)
...

The link you referenced (http://blogs.sun.com/ritzmann/entry/wsit_with_a_j2se_endpoint) claims "The WSIT tutorial has extensive documentation on how to generate a configuration file." But it assumes that I'm using glassfish for most things and NetBeans wizards for other things... none of which work for my simple Java application with a Java 6 endpoint.
I wish I could just annotate my service with username and password info, and my web methods with "secure" or "not secure"...

I also haven't figured out how WSIT will allow the username password info to be sent once as opposed to with every request...

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Hi,

Firstly it is good to know that your WSIT config file is getting picked up....

As you observe, WS-SecurityPolicy is way too complex to code by hand and hence the need for NetBeans Wizards and profiles etc.

If you want to be an expert in WS-SecurityPolicy you will need to go through the spec :

http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf

> How do you specify a security policy that says no
> security is needed?

This is done by not specifying any singed parts or encrypted parts for the operation.

> I wish I could just annotate my service with username
> and password info, and my web methods with "secure"
> or "not secure"...
>

Now i would like to understand this. By Secure do you mean send a Username/Password in Plain-Text over the SOAP Message for one particular method (the secure one) and not send the Username-Password for the other one ?.

The WS-SecurityPolicy specification does not allow you to achieve this. Firstly it does not allow Plain-Text username/password to be sent over the wire unless you are using SSL underneath.

If you want to send a Username-Password without SSL then atleast you will have to Encrypt the username-password.

If you open the NetBeans Wizard you will see a SecurityProfile called : Username Authentication with SymmetricKeys for Integrity and confidentiality protection.

This profile would suit the best for your case.

I have created a sample for you in little less than 20 mins both webservice client and service using NetBeans and it does what you intend to do.

Attached is the WSIT configuration file for the service which has two operations sayHello and sayBye of which only sayHello is secured (sends an Encrypted Username-Password) and the sayBye operation is unsecure.

I did have to do one small hand-edit in the NB generated file since i believe you did not want to send the Username-Password for the second operation ( i had to move the usernametoken policy down to the specific input message for which you wanted it to be sent).

I have also attached the request-response SOAPMessage dumps for the two operation calls.

> I also haven't figured out how WSIT will allow the
> username password info to be sent once as opposed to
> with every request...

This can be achieved by establishing a SecureConversation Session after the first authentication. If you use NetBeans it is a matter of just an extra check-box.

Thanks.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

> Firstly it is good to know that your WSIT config
> file is getting picked up....
>
> As you observe, WS-SecurityPolicy is way too complex
> to code by hand and hence the need for NetBeans
> Wizards and profiles etc.

I would like to be able to use the wizard on any arbitrary wsit-***.xml file, even when my project isn't a "web" project. That would make this a whole lot easier. As it is there does seem to be a special editor that gets used on the wsit config file, which is nice, but doesn't have any easy checkboxes for "SecureConversation" for example.

> > How do you specify a security policy that says no
> > security is needed?
>
> This is done by not specifying any singed parts or
> encrypted parts for the operation.

I tried that but it didn't work... I'll have to look at your config file.
The calculator example has 3 security policies defined. One has the username stuff in it (as far as I can tell) and then there are two more, one for the input, one for the output. They say what parts are encrypted and signed. I tried adding an operation and binding the input/output to a new empty policy - but I was just guessing at what might work.

> > I wish I could just annotate my service with
> username
> > and password info, and my web methods with
> "secure"
> > or "not secure"...
> >
>
> Now i would like to understand this. By Secure do you
> mean send a Username/Password in Plain-Text over the
> SOAP Message for one particular method (the secure
> one) and not send the Username-Password for the other
> one ?.

No, I want the secure method to need an encrypted password (or secure conversation?) but the un-secure method to not need any encryption, signing or username/password. (Like a typical jax-ws service.)

> The WS-SecurityPolicy specification does not allow
> you to achieve this. Firstly it does not allow
> Plain-Text username/password to be sent over the wire
> unless you are using SSL underneath.
>
> If you want to send a Username-Password without SSL
> then atleast you will have to Encrypt the
> username-password.

Yes, that's ok. I just want some methods to not need the username/password at all and not need any signing or encryption.. no special SOAP headers.

> If you open the NetBeans Wizard you will see a
> SecurityProfile called : Username Authentication
> with SymmetricKeys for Integrity and confidentiality
> protection.

I think that is what I based my config file on already. I think the secure calculator example uses that security profile.

> This profile would suit the best for your case.
>
> I have created a sample for you in little less than
> 20 mins both webservice client and service using
> NetBeans and it does what you intend to do.

Thank you very much for spending time on this!

> Attached is the WSIT configuration file for the
> service which has two operations sayHello and sayBye
> of which only sayHello is secured (sends an Encrypted
> Username-Password) and the sayBye operation is
> unsecure.

Excellent.

> I did have to do one small hand-edit in the NB
> generated file since i believe you did not want to
> send the Username-Password for the second operation (
> i had to move the usernametoken policy down to the
> specific input message for which you wanted it to be
> sent).

Right. This is great.

> > I also haven't figured out how WSIT will allow the
> > username password info to be sent once as opposed
> to
> > with every request...
>
> This can be achieved by establishing a
> SecureConversation Session after the first
> authentication. If you use NetBeans it is a matter
> of just an extra check-box.

Can this work in combination with unsecured methods? So some unsecured methods can be called before establishing the SecureConversation?

Thanks a lot for you assistance!

swpalmer
Offline
Joined: 2003-06-10
Points: 0

Ok.. I've looked at the log of messages from your service and it wasn't doing exactly what I wanted.

Yes, the sayHello input and output is not encrypted and has no username/password requirement, but there is a bunch of security related headers with EncryptionMethod, CipherData, CipherValue, EncryptedKey etc... all of which appear to me to be unnecessary for a unsecure method with plaintext input/output.

The problem was that the service seems to require this data in the header for the unsecured methods..since when I used your policy file with my service and an attempt to call my unprotected "getVersion" method from a generic client this happened:
[code]
====[com.sun.xml.ws.assembler.server:request]====






============
19-Sep-2007 10:56:50 AM com.sun.xml.ws.addressing.WsaTube validateInboundHeaders
WARNING: A required header representing a Message Addressing Property is not present, Problem header:{http://www.w3.org/2005/08/addressing}Action
com.sun.xml.ws.addressing.model.MapRequiredException
at com.sun.xml.ws.addressing.WsaTube.checkCardinality(WsaTube.java:222)
at com.sun.xml.ws.
...
====[com.sun.xml.ws.assembler.server:response]====




{http://www.w3.org/2005/08/addressing}Action




ns0:MessageAddressingHeaderRequired
A required header representing a Message Addressing Property is not present



============
[/code]

But I managed to fix it by commenting out the wsaws:UsingAddressing element. I'm not sure what that implies.. but it seems to be okay.

So I have achieved success! My next step is to try the SecureConversation Session. Hopefully that still works when I have plaintext methods as well as secure methods.

Thanks a lot for your help.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

I'm having trouble getting the secure methods working from the client now. I used NB 6 (20070918 nightly) to import the web service into a simple Java Application

I tried two ways to set up the security stuff. First using the properties file "client-security.env.properties" to set callback handlers for username and password, and to set the truststore URL (path actually) and alias, storepass etc..

Then I deleted that file and tried using the NB Wizard to edit the web service attributes so it had a truststore and username/password (static)

But I couldn't get past this error:

SEVERE: WSS0221: Unable to locate matching certificate for Key Ecnryption using Callback Handler.
19-Sep-2007 2:44:55 PM com.sun.xml.wss.impl.filter.SignatureFilter process
SEVERE: WSS1413: Error extracting certificate
com.sun.xml.wss.XWSSecurityException: Unable to locate certificate for the alias ''
at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getCertificate(DefaultSecurityEnvironmentImpl.java:365)

Note the typo "Ecnryption"

That was trying to use a secret key in a JCEKS type keystore for the truststore... I thought I needed that type of key and not a key pair..

Then I changed to a key pair in a regular JKS keystore for the truststore (and then the NB wizard would at least load the alias values) and I got a different problem...

19-Sep-2007 2:51:53 PM com.sun.xml.ws.security.opt.impl.keyinfo.TokenBuilder buildKeyInfoWithKI
SEVERE: WSS1852: KeyIdentifier value cannot be empty. Possible cause, certificate version being used does not support SubjectKeyIdentifier.
19-Sep-2007 2:51:53 PM com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor sign
SEVERE: WSS1701: Sign operation failed.
com.sun.xml.wss.XWSSecurityException: WSS1852: KeyIdentifier value cannot be empty. Possible cause, certificate version being used does not support SubjectKeyIdentifier.
at com.sun.xml.ws.security.opt.impl.keyinfo.TokenBuilder.buildKeyInfoWithKI(TokenBuilder.java:147)
at com.sun.xml.ws.security.opt.impl.keyinfo.X509TokenBuilder.process(X509TokenBuilder.java:79)
at com.sun.xml.ws.security.opt.impl.keyinfo.SymmetricTokenBuilder.process(SymmetricTokenBuilder.java:142)

So it appears that I have something wrong with the keystore/truststore on the client side.
I can't find anything in the tutorial https://wsit-docs.dev.java.net/releases/1-0-FCS/WSIT_Security6.html#wp14... that helps.

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

>
> I tried two ways to set up the security stuff. First
> using the properties file
> "client-security.env.properties" to set callback
> handlers for username and password, and to set the
> truststore URL (path actually) and alias, storepass
> etc..
Do not use this as this is (OLD) XWSS 2.0 style of doing things.

> Note the typo "Ecnryption"

Will fix this.

>
> Then I changed to a key pair in a regular JKS
> keystore for the truststore (and then the NB wizard
> would at least load the alias values) and I got a
> different problem...

So what values did you set for the Keystore and Truststore alias on the client side ?.
>
> 19-Sep-2007 2:51:53 PM
> com.sun.xml.ws.security.opt.impl.keyinfo.TokenBuilder
> buildKeyInfoWithKI
> SEVERE: WSS1852: KeyIdentifier value cannot be empty.
> Possible cause, certificate version being used does
> not support SubjectKeyIdentifier.

This will happen if the cert alias specified for the client side keystore is not a V3 Certificate. There are ways to change the policy to make use of Non-V3 Certs but i guess it is easier to fix the certs in your case.

Can you send me the Client side WSIT configuration file that you are using.

Thanks.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

I created a self-signed V3 certificate with keytool and set the keystore and alias on the client using the NB web service client property editor that allowed me to browse to my keystore and select the alias.

NB created two config files. The first named wsit-client.xml simply references the main file for the service with an element. The main service config file policy section looks like this:
[code]



storepass="client" type="JKS"
location="D:\full_path_to_my\client_keystore.jks"/>







[/code]

The attributes of the TrustStore element properly match what I've used when creating client_keystore.jks. Note that there is not KeyStore element and in fact, the KeyStore button in the NB wizard is disabled so I cannot add one with that mechanism.

I forgot to mention that I used the Java 6 keytool
-genkeypair command which according to the docs:
"Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias."

So I should have a V3 certificate.

Doing:
keystool -list -keystore client_keystore.jks -storepass client

I get:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

testclient, 19-Sep-2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 5D:9F:22:BC:E7:AB:64:8A:DC:AE:9B:E7:46:9C:2B:F4

Message was edited by: swpalmer

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Hi,

So there are two ways you can get this to work now. The JDK6 Keytool generated certs are V3 certs i suppose but they do not contain SubjectKeyIdentifier extension., A later version of JDK 6 (Update release would have this feature where it creates the SKID)

So get your scenario working, you can do the following :

1. you can change the policy of the Service so it does not require a cert with SKID

a) Look for the X509 Element :





and add the following line inside it






b) Look for








and comment the






You already mention that the selfsigned cert is also present in the server keystore. So everything should work with this change.

Make sure the client gets the updated WSDL policy (does not have any local copy of WSDL). Normally when we do things with NB there can be a local copy and we do a refresh client in NB.

I just tried it with the sample i pasted yesterday and what you should see is a message like this (note the use of in the message).

http://localhost:8080/SecureWS/SecureWebServiceServicehttp://test/SecureWebService/sayHelloRequest

http://www.w3.org/2005/08/addressing/anonymous

uuid:3ef52e8b-9404-4397-a068-c4484e9013a4CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU2qd5X0EpX2akzAFUR0WKCu5bPJGoNkQTyrMFjlz5tNPgh4b4Cz/34DE3GsUpVYihXxrojJsOApMvpu87bHCwmKJ6cuPLtOQ4i0e7fTjSRgzkmGw3dpuhSE27r4n4JlKlw/Dyd95TbuGET8hoqupxn1k0BV6W6Y2MN4IsKc/4U9Ls=dTgG1vTaMZ4/XiweCt6iDOT+efTtqUce8Ka6AzvsTATkKptmkDT6Re3pH00mh0HKy3MSrc/YWyi5QMYQv+5fvFKUxyIvvikFkS1gK4hspphrpTYcCJqZQCJC6DVuQtTNzR3jAHKiM/NBSur36eQDRO8PMbIHxvEVLTwY2c+b3ZIcgtfrM2I7yvmml/pffzHDxDBgCgl3nbMufVCpjfKQ5NPOyOUZDXW0+Zmj0qOrGOPYj+/AAS8noyKvp0eqyPKjVWIAZ9uP/+7Bs1MMdFQtUZQpW+MoF98Fp2JtmNaMqS7Gdy1jSkY04fcRFet/5sG9H4sxWbHSBVudZ7p+8y39ZHaOS0UPdROMk4OFyRLOup7NX+ukZrdnYRZXDnq5W+ala4bix0eFPiMa7EyHYEhkiQ==WORLD
--------------------

Let me know if this worked.

I can suggest another way but it will be required only if this one doesn't work.

thanks.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

Afer making those changes the client reports this error:

20-Sep-2007 1:39:01 PM com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor getCipherValueOfEK
SEVERE: WSS1906: Invalid key provided for encryption/decryption.
java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPublicKeyImpl
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.initCipher(CryptoProcessor.java:102)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:136)
at com.sun.xml.ws.security.opt.impl.enc.JAXBEncryptedKey.getCipherValue(JAXBEncryptedKey.java:246)
at com.sun.xml.ws.security.opt.impl.keyinfo.SymmetricTokenBuilder.process(SymmetricTokenBuilder.java:153)
at com.sun.xml.ws.security.opt.impl.dsig.TokenProcessor.process(TokenProcessor.java:145)
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:93)
at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:450)

I don't understand how it is possible that my key is not supported when I created it with Java.

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Hi,

The Key that you are using is a DSA Public Key as opposed to an RSA public Key. Can you please specify the -keyalg prameter and specify RSA over there.

keytool -genkeypair -alias myRSAKey -keyalg RSA -keystore sample.jks ....

Also i would like to mention that if the AlgorithmSuite value in your policy is Basic256 as opposed to Basic128 then you will have to install unlimited strength encryption policy files in the JRE. Otherwise you get an exception of the following kind :

> [java] SEVERE: WSS1205: Unable to initialize XML Cipher
> [java] java.security.InvalidKeyException: Illegal key size or default pa
> eters
> [java] at javax.crypto.Cipher.a(DashoA12275)
> [java] at javax.crypto.Cipher.a(DashoA12275)
> [java] at javax.crypto.Cipher.a(DashoA12275)
> [java] at javax.crypto.Cipher.init(DashoA12275)
> [java] at javax.crypto.Cipher.init(DashoA12275)

http://java.sun.com/products/jce/index-14.html
http://java.sun.com/j2se/1.4.2/download.html#docs

Thanks.

swpalmer
Offline
Joined: 2003-06-10
Points: 0

Thanks, I have made some progress all I had to do after changing the key algorithm was to implement DecryptionKeyCallback.X509IssuerSerialBasedRequest in my security callback handler.

Client and Server are now working!

When the password is wrong the client gets:
javax.xml.ws.WebServiceException: java.net.SocketException: Unexpected end of file from server
at com.sun.xml.ws.transport.http.client.HttpClientTransport.checkResponseCode(HttpClientTransport.java:238)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:151)
at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.process(SecurityClientPipe.java:185)

I sort of expected an exception that was more to the point.. I then determined that this is caused by having assertions enabled on the server.
The server shows:
SEVERE: WSS1408: UsernameToken Authentication Failed
java.lang.AssertionError
at com.sun.xml.ws.message.stream.StreamMessage.(StreamMessage.java:166)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:222)

When I disable assertions on the server the client using a wrong password fails with:
javax.xml.ws.soap.SOAPFaultException: Invalid Username Password Pair
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:187)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)

Since a wrong password is a perfectly valid "failure" shouldn't the server react better with assertions enabled?

Thank you so much for your assistance.