Skip to main content

WS-S Signature validation callback result

6 replies [Last post]
Anonymous

Hello,

I'm new to all WS-S and Metro framework, so forgive a (possibly) dumb
question.

I developed a secure web-service including a client that signs the
request, everything works as it should. My question is, though, in case
of signature validation failure (or any other security issue, i.e.
missing security header in general) I'd like that the web-service would
be notified, since it's handled by the framework and I didn't find a
quick way of letting the application (or in general, custom Java code)
know about the failure.

I'm not interested in manually verifying the signature, I'll leave that
to the Metro framework (after all, that's what it is used for, isn't
it?), I'd like simply to be notified of the events going on on the
framework level.

How to achieve this?

I'm using NetBeans (6.8) and latest Metro (2.2) to develop the service,
in case it matters.

Thanks for any clue,
Adrien

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
mlejter
Offline
Joined: 2007-05-02
Points: 0

A straightforward way to do this might be to install your own physical SOAP handler on the server side.
Your handler would be called for every incoming SOAP request, which you could just wave on through, and every outgoing SOAP response. These responses you could examine, and you would know whether you're looking at a successful response, or some SOAP error, and react accordingly...

You would need to tinker with the order in which handlers will be called, to make sure yours is called first (incoming) and last (outgoing), so you can see the result of the validation handler on its way out...

Moises

On Apr 10, 2012, at 9:11 AM, Adrien Farkas wrote:

> Hello,
>
> I'm new to all WS-S and Metro framework, so forgive a (possibly) dumb question.
>
> I developed a secure web-service including a client that signs the request, everything works as it should. My question is, though, in case of signature validation failure (or any other security issue, i.e. missing security header in general) I'd like that the web-service would be notified, since it's handled by the framework and I didn't find a quick way of letting the application (or in general, custom Java code) know about the failure.
>
> I'm not interested in manually verifying the signature, I'll leave that to the Metro framework (after all, that's what it is used for, isn't it?), I'd like simply to be notified of the events going on on the framework level.
>
> How to achieve this?
>
> I'm using NetBeans (6.8) and latest Metro (2.2) to develop the service, in case it matters.
>
> Thanks for any clue,
> Adrien

Adrien Farkas

On 12. 4. 2012 15:30, Moises Lejter wrote:
> A straightforward way to do this might be to install your own physical SOAP handler on the server side.
> Your handler would be called for every incoming SOAP request, which you could just wave on through, and every outgoing SOAP response. These responses you could examine, and you would know whether you're looking at a successful response, or some SOAP error, and react accordingly...
>
> You would need to tinker with the order in which handlers will be called, to make sure yours is called first (incoming) and last (outgoing), so you can see the result of the validation handler on its way out...

Moises,

thanks for the answer! If I got you right after implementing message
handlers (tried both SOAP as well as logical handlers, since I only need
to access the payload containing the fault LH should be sufficient)
these are not invoked for the replies (mentioning e.g. wrong signature
or other non-OK results). If the request is a proper one, i.e. it passed
signature and timestamp checks the handler gets invoked once for the
inbound and once for the outbound messages.

Now I'm unsure about the word 'physical' SOAP handler, if that's what
you meant or whether it's something different, not a plain
Protocol/Logical handlers.

In container (TC 5.5) logs for the message not passing the signature
check the following displays:

SOAP handler: Received incoming message.
12.4.2012 17:58:41
com.sun.xml.ws.security.opt.impl.incoming.processor.StreamingPayLoadDigester
accept
SEVERE: WSS1717: Error occurred while doing digest verification of
body/payload
javax.xml.crypto.dsig.XMLSignatureException: WSS1717: Error occurred
while doing digest verification of body/payload
at
com.sun.xml.ws.security.opt.impl.incoming.processor.StreamingPayLoadDigester.accept(StreamingPayLoadDigester.java:111)
at
org.codehaus.stax2.ri.Stax2FilteredStreamReader.next(Stax2FilteredStreamReader.java:37)
at
com.sun.xml.ws.security.opt.impl.util.VerifiedMessageXMLStreamReader.next(VerifiedMessageXMLStreamReader.java:86)
...

No mention about 'SOAP handler: Received outgoing message' which is my
handler's message.

Now, did I miss that word 'physical'?

THanks,
Adrien

aoyiteled
Offline
Joined: 2012-04-18
Points: 0

Fortunately, I have not encountered this problem, or just like you confused.

mlejter
Offline
Joined: 2007-05-02
Points: 0

Sorry - my bad. I just thought of "physical" as opposed to "logical" :-) -
but I think you're right, the proper names may be "SOAP" and "logical"
handlers ...

Moises

On Thu, Apr 12, 2012 at 11:04 AM, Adrien Farkas wrote:

> On 12. 4. 2012 15:30, Moises Lejter wrote:
>
>> A straightforward way to do this might be to install your own physical
>> SOAP handler on the server side.
>> Your handler would be called for every incoming SOAP request, which you
>> could just wave on through, and every outgoing SOAP response. These
>> responses you could examine, and you would know whether you're looking at a
>> successful response, or some SOAP error, and react accordingly...
>>
>> You would need to tinker with the order in which handlers will be called,
>> to make sure yours is called first (incoming) and last (outgoing), so you
>> can see the result of the validation handler on its way out...
>>
>
> [...]
>
> Now, did I miss that word 'physical'?
>
>

Adrien Farkas

On 12. 4. 2012 18:04, Adrien Farkas wrote:

> ...
>
> No mention about 'SOAP handler: Received outgoing message' which is my
> handler's message.
...

My bad, I should be implementing the handleFault(), not the
handleMessage() in my case. Sorry, please ignore the previous post.

Adrien

Adrien Farkas

Hi,

anything, anyone?

Meanwhile I discovered that by the entire 'xwssCallbackHandler'
reimplementation the signature itself still gets processed by the
framework (I only have to supply it with key and certificate during the
various CallbackHandler requests) and I'm unable to fetch a WSS1717 error.

Any idea(s), pointers, whatever?

Thanks,
Adrien

On 10. 4. 2012 16:11, Adrien Farkas wrote:
> Hello,
>
> I'm new to all WS-S and Metro framework, so forgive a (possibly) dumb
> question.
>
> I developed a secure web-service including a client that signs the
> request, everything works as it should. My question is, though, in case
> of signature validation failure (or any other security issue, i.e.
> missing security header in general) I'd like that the web-service would
> be notified, since it's handled by the framework and I didn't find a
> quick way of letting the application (or in general, custom Java code)
> know about the failure.
>
> I'm not interested in manually verifying the signature, I'll leave that
> to the Metro framework (after all, that's what it is used for, isn't
> it?), I'd like simply to be notified of the events going on on the
> framework level.
>
> How to achieve this?
>
> I'm using NetBeans (6.8) and latest Metro (2.2) to develop the service,
> in case it matters.