Announcement Announcement Module
Collapse
No announcement yet.
Missing username in ws-security using marshaller Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Missing username in ws-security using marshaller

    Hi,

    I am setting up ws-security using wss4j, but the client drops the username from the request.

    Here is my dump of soap message:

    Code:
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
      <SOAP-ENV:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
          <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-27799186" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">foobar</wsse:Password>
          </wsse:UsernameToken>
        </wsse:Security>
      </SOAP-ENV:Header>
      <SOAP-ENV:Body>
        <ns3:RegisterPersonRequest xmlns:ns3="http://blah/server/schema" xmlns="">
        </ns3:RegisterPersonRequest>
      </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    If I copy it to soapui and populate the username field, it works.

    Here is my client side configuration:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:tx="http://www.springframework.org/schema/tx"
    	xmlns:oxm="http://www.springframework.org/schema/oxm"	
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
        		http://www.springframework.org/schema/oxm http://www.springframework.org/schema/oxm/spring-oxm-1.5.xsd">
      
    	<bean id="securityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    		<property name="securementActions" value="UsernameToken"/>
    		<property name="securementPasswordType" value="PasswordText"/>
    		<property name="securementUsername" value="donald-duck"/>
    		<property name="securementPassword" value="foobar"/>
    	</bean>
    	
    	<oxm:jaxb2-marshaller id="marshaller" contextPath="blah.server.schema"/>
    	
    	<bean id="service" abstract="true">
    		<property name="marshaller" ref="marshaller" />
    		<property name="defaultUri" value="http://localhost:8820/services/"/>		
    		<property name="interceptors">
    			<list>
    				<ref local="securityInterceptor"/>  
    			</list>
    		</property>
    	</bean>	
    </beans>
    And this is the code bit:
    Code:
    import org.apache.commons.logging.*;
    import org.springframework.oxm.jaxb.Jaxb2Marshaller;
    import org.springframework.ws.client.core.WebServiceTemplate;
    import org.springframework.ws.client.core.support.WebServiceGatewaySupport;
    import org.springframework.xml.transform.StringResult;
    
    public abstract class AbstractClientWebservice extends WebServiceGatewaySupport { 
    
    	protected final Log log = LogFactory.getLog(this.getClass());
    
    	protected static final ObjectFactory objectFactory = new ObjectFactory();	
    	
    	protected Object send(Object message) {
    	    long startTime= System.currentTimeMillis();
    		try {
    //			StringResult result = new StringResult();
    //			getMarshaller().marshal(message, result);
                Object response = getWebServiceTemplate().marshalSendAndReceive(message);
                return response; 
    	 } catch (Exception ex) {
    	            ex.printStackTrace();
    	            throw new RuntimeException(ex);
    		 } finally {
    			 long endTime = System.currentTimeMillis();
    //			 this.serviceCallTime = endTime - startTime;
    		 }
    	} 
    }

    So it seems to me that using the marshaller to send and receive drops the username form the soap message?
    (Usually when I am convinced the framework is to blame, I realise a day later that I missed something crucial...)

    I am using Spring WS 1.5.3. But maybe I got a buggy transative dependency?


    Not really relevant, as it is the sent message that is wrong, but here is my server side:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:tx="http://www.springframework.org/schema/tx"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
        		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
        		
    	<bean id="securityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">		
    		<property name="validationActions" value="UsernameToken"/>   
    		<property name="securementActions" value="Timestamp"/>    
    		<property name="timestampPrecisionInMilliseconds" value="true"/>
    		<property name="validationCallbackHandler" ref="acegiHandler" />
    	</bean>
     	
     	<bean id="acegiHandler" class="org.springframework.ws.soap.security.wss4j.callback.SpringPlainTextPasswordValidationCallbackHandler">
       		<property name="authenticationManager" ref="authenticationManager"/>
    	</bean> 
           		
    <!--
    <bean id="acegiHandler" class="org.springframework.ws.soap.security.wss4j.callback.SpringDigestPasswordValidationCallbackHandler">
            <property name="userDetailsService" ref="userDetailsService"/>
        </bean>
    -->
     	 
    	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
         		<property name="providers">
             		<bean class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
                 		<property name="userDetailsService" ref="userDetailsService"/>
             		</bean>
         		</property>
     		</bean>
     	 	
        <security:user-service id="userDetailsService">
          <security:user name="donald-duck" password="foobar" authorities="ROLE_CLIENT" />
        </security:user-service>
    
    
    Any ideas?
    Anyone experienced the same?
    
    </beans>

  • #2
    Playing around with the maven dependencies solved the issue, although i am not sure which specifically. I mostly removed them and relied on the transitive ones.

    Also added unmarshaller setter to the service bean as an exception was now returned, which it didnt before i added ws-security.

    Comment


    • #3
      Basically I think it was the wrong xmlsec.jar I had transatively received by excluding another from spring-ws-security

      Comment

      Working...
      X