2 Replies Latest reply on May 6, 2010 4:29 PM by zurchman

    WS-Security on JBoss 4.2.2.GA with jbossws-native-client 3.2.0.GA error

    hugohendriks
      Hello,

      We have an issue with getting WS-security running on JBoss 4.2.2.GA.

      We have constructed a simple project with a simple service:

      import javax.jws.WebMethod;
      import javax.jws.WebService;
      import javax.jws.soap.SOAPBinding;
      import org.jboss.ws.annotation.EndpointConfig;


      @SOAPBinding(style = SOAPBinding.Style.RPC)
      @WebService
      @EndpointConfig(configName="Standard WSSecurity Endpoint",configFile="WEB-INF/standard-jaxws-endpoint-config.xml")
      public class Hello {

           @WebMethod
           public String sayHello(String aName) {
                return "Hello " + aName;
           }
      }

      We have created the server and client truststores by using the following commands on jdk1.5

      keytool -genkey -alias server -keyalg RSA -keystore server.keystore
      keytool -genkey -alias client -keyalg RSA -keystore client.keystore
      keytool -export -alias server -keystore server.keystore -file server_pub.key
      keytool -export -alias client -keystore client.keystore -file client_pub.key
      keytool -import -alias client -keystore server.keystore -file client_pub.key
      keytool -import -alias server -keystore client.keystore -file server_pub.key
      keytool -import -alias client -keystore client.truststore -file client_pub.key
      keytool -import -alias server -keystore server.truststore -file server_pub.key
      keytool -import -alias server -keystore client.truststore -file server_pub.key
      keytool -import -alias client -keystore server.truststore -file client_pub.key

      Our jboss-wsse-server.xml looks like:

      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.jboss.com/ws-security/config
      http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
           <key-store-file>WEB-INF/server.keystore</key-store-file>
           <key-store-password>password</key-store-password>
           <trust-store-file>WEB-INF/server.truststore</trust-store-file>
           <trust-store-password>password</trust-store-password>
           <key-passwords>
                <key-password alias="server" password="password" />
           </key-passwords>
           <config>
                <sign type="x509v1" alias="server" />
                <encrypt type="x509v1" alias="client" />
                <requires>
                     <signature />
                     <encryption />
                </requires>
           </config>
      </jboss-ws-security>

      The versions we are using in out pom for the libs are:

                <dependency>
                     <groupId>javax.xml.ws</groupId>
                     <artifactId>jaxws-api</artifactId>
                     <version>2.1</version>
                </dependency>

                <dependency>
                     <groupId>org.jboss.ws.native</groupId>
                     <artifactId>jbossws-native-client</artifactId>
                     <version>3.2.0.GA</version>
                     <scope>provided</scope>
                </dependency>

      When we run a SoapUI test we get the following response:

      org.jboss.ws.extensions.security.FailedCheckException: Required element did not contain a wsu:id.
              at org.jboss.ws.extensions.security.RequireTargetableOperation.resolveQNameTarget(RequireTargetableOperation.java:65)
              at org.jboss.ws.extensions.security.RequireTargetableOperation.resolveTarget(RequireTargetableOperation.java:43)
              at org.jboss.ws.extensions.security.RequireTargetableOperation.process(RequireTargetableOperation.java:85)
              at org.jboss.ws.extensions.security.SecurityDecoder.verify(SecurityDecoder.java:170)
              at org.jboss.ws.extensions.security.WSSecurityDispatcher.handleInbound(WSSecurityDispatcher.java:166)

      We have a suspicion that this might have something to do with the libraries we are using to handle the WS-Security.

      Anyone might have a usefull suggestion how we might get this to work?

      Much thanks

        • 1. Re: WS-Security on JBoss 4.2.2.GA with jbossws-native-client 3.2.0.GA error
          hugohendriks
          After trying another setting in SoapUI we get the following error:

          org.jboss.ws.extensions.security.WSSecurityException: Currently only SubjectKeyIdentifiers are supported
          • 2. Re: WS-Security on JBoss 4.2.2.GA with jbossws-native-client 3.2.0.GA error
            zurchman

            SoapUI 3.5 can be used to test encryption with JBossWS 4.2.3/3.1.1.

             

            JBoss WS clients generate a wsu:Id attribute in the <env:Body> element, which SoapUI will not insert automatically.

             

            <env:Body xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' 
              wsu:Id='element-1-1272320911598-1522000'>
              <xenc:EncryptedData Id='encrypted-2-1272320911598-11779585' Type='http://www.w3.org/2001/04/xmlenc#Content'
               xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
            

             

            This is most likely the cause of your initial fault.

             

            Original SoapUI request:

             

            <soapenv:Body 
                 <xenc:EncryptedData Id="EncDataId-5" Type="http://www.w3.org/2001/04/xmlenc#Content">
            

             

            You can use SoapUI if you include a 'dummy' wsu:Id in the Body of your request.  Be sure to include the namespace:

             

            <soapenv:Body 
              xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
                wsu:Id='element-1-1272320911598-1522000'>
                <xenc:EncryptedData Id="EncDataId-5" Type="http://www.w3.org/2001/04/xmlenc#Content
            

             

            JBoss also generates wsu:Id attributes in the <wsse:SecurityTokenReference> element, which again, SoapUI omits.

             

            And as for testing WS-security, you might think about breaking up your operations and testing in stages: first test encryption using a single keystore, then test encryption requiring signatures, then move on to testing with multiple keystores, etc.