13 Replies Latest reply on Nov 21, 2012 2:07 PM by noe_bartino1984

    Jboss ws-security, client configuration

      Hello,

       

      I'm currently trying to secure a ws endpoint using the native jboss security stack. The server now sucessfully sign the message. I'm now trying to secure the client. It's a standalone java client using code generated by the jboss ws tool.

       

      I tried using the following code to enable ws-security from the client:

       

      //port object obtained via SOAPService
      ((StubExt)port).setSecurityConfig(securityURL.toExternalForm());
      ((StubExt)port).setConfigName("Standard WSSecurity Client");
      

       

      This doesn't work as the 'port' object cannot be casted to a StubExt. I have generated my client code using the '-extensions' flag, could this be causing problems?

       

      Dos anyone have any idea as to what could be causing this problem?

       

      Thanks in advance,

       

      Tim

        • 1. Re: Jboss ws-security, client configuration

          Alright I have gotten a bit further. I fixed the class casting issue , but I'm now getting an exception:

           

          javax.xml.ws.WebServiceException: org.jboss.ws.core.CommonSOAPFaultException: An internal WS-Security error occurred.

           

           

          Can't find anything in the logs though.

           

          This is the code I am using for setting up the security on the client:

           

               URL securityURL = Main.class.getResource("META-INF/jboss-wsse-client.xml");
          
              ((StubExt) port).setSecurityConfig(securityURL.toExternalForm());
              ((StubExt) port).setConfigName("Standard WSSecurity Client", "META-INF/standard-jaxws-client-config.xml");
          

           

          This is the wsse-client file I'm using:

           

           

          <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://www.jboss.com/ws-security/config 
                      http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
               <key-store-file>META-INF/wsse.keystore</key-store-file>
               <key-store-password>secret</key-store-password>
               <trust-store-file>META-INF/wsse.truststore</trust-store-file>
               <trust-store-password>secret</trust-store-password>
               <key-passwords>
                  <key-password alias="wss" password="secret" />
              </key-passwords>
               <config>
               <sign type="x509v3" alias="wss"/>
                <requires>
                  <signature/>
                 </requires>
                </config>
              </jboss-ws-security>
          

           

          I'm using the same truststore and keystore for both the client and server... Could this be causing problems?

           

          Als does anyone happen to know how to actually get the internal ws-security exception?

           

          Tim

          • 2. Re: Jboss ws-security, client configuration
            zurchman

            Hi

             

            Some of these may sound like odd questions, but I suspect there may be some problems with security in the client library.

             

            First of all, could you please post or attach the first 100 lines or so of your stack trace?

             

            Here are a couple of questions:

             

            1) Do you have any logging configured in your client?

             

            2) What version of JBossWS are you using?

             

            3) How did you resolve your Class cast issue.  And how are you defining your client classpath?

            • 3. Re: Jboss ws-security, client configuration

              My entire stack trace:

               

              Exception in thread "main" javax.xml.ws.WebServiceException: org.jboss.ws.core.CommonSOAPFaultException: An internal WS-Security error occurred. See log for details
                  at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.processHandlerFailure(HandlerChainExecutor.java:286)
                  at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:157)
                  at org.jboss.ws.core.jaxws.client.ClientImpl.callRequestHandlerChain(ClientImpl.java:177)
                  at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:298)
                  at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:290)
                  at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:170)
                  at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:150)
                  at $Proxy14.submitWebsiteData(Unknown Source)
                  at Main.main(Main.java:49)
              Caused by: org.jboss.ws.core.CommonSOAPFaultException: An internal WS-Security error occurred. See log for details
                  at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(WSSecurityDispatcher.java:264)
                  at org.jboss.ws.extensions.security.WSSecurityDispatcher.encodeMessage(WSSecurityDispatcher.java:226)
                  at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleOutboundSecurity(WSSecurityHandler.java:104)
                  at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient.handleOutbound(WSSecurityHandlerClient.java:43)
                  at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:53)
                  at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:305)
                  at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:142)
                  ... 7 more
              

               

               

              1) I have appended a FileAppender to the rootlogger in the client code.

               

              2) I'm using the JBossWS version included in the jboss 5.1.0 build

               

              3) I resolved the class path issue by only including the jars found in de wsrunclient file, plus the ones from the endorsed jboss dir as well as setting the java endorsed library to that same location.

               

               

              Thanks for taking an interest .

               

              I have also been looking at the samples from Jboss in action. And I can't figure out how the author gets the Client to pick up on the security configuration, is it just by including the files in META-INF directory? Or does it have something to with the fact that he runs the samples form a JAR file?

              • 4. Re: Jboss ws-security, client configuration
                zurchman

                I'm happy to try to help. Sometimes you can feel like you are "crying out" in the WS-Security "wilderness" here.  The developers rely on their test cases and test suites, but I think that there could be more test coverage for WS-Security applications, especially ones that use wsconsume.

                 

                To get more detail from your application, try adding some of these to the logging configuration file used by your client:

                 

                #log4j.logger.org.jboss.ws=TRACE
                log4j.logger.org.jboss.ws.extensions.security.WSSecurityDispatcher=DEBUG
                #log4j.logger.org.jboss.ws.extensions.security=TRACE
                

                 

                If you configure your server logging similarly, my guess is that you are going to see the that the server is throwing a fault because the decryption fails.  (And my suspicion is that the real problem is that the client may not be performing the encryption properly).

                 

                The other thing you might prepare yourself for is that your client may very well work correctly with a sufficient level of debugging. I have a native JBossWS 3.1.1 client that works - as long as WSSecurityDispatcher logs with a level of DEBUG or TRACE!  Go figure.

                 

                I had enough trouble trying to get a client working without the additional work of packaging it into a jar, so I can't comment on placing the client security configuration in META-INF.

                • 5. Re: Jboss ws-security, client configuration

                  It finally works!

                   

                  I added the logging just as you said and it appeared that the keys in my keystore were configured using a DSA algorithm not RSA which is apparantly required by ws-security.

                   

                  As soon as I changed my keystore, I could succesfully make a webrequest.

                   

                  Thanks a lot, for assisting me, it really helped me out a lot!

                   

                  I found out btw by having a META-INF directory in the source folder with the correct files: the keystores, jboss-wsse-client.xml and standard-jaxws-client-config.xml. It automatically detects the settings.

                   

                  The weird thing is that everything is actually quite straightforward, but because of the documentation that is scattered throughout the jboss website, sometimes using different XML for the same thing, it can become quite a stretch to get everything working.

                   

                  I can certainly see your point with the "crying out in the wilderness". The JBoss in Action book does a decent job of structuring the documentation, but even there it uses the batch file: wsrunclient, for running the client code which is not realistic in real situation. And as a lot of problems come up while managing dependencies, it forgets to cover a lot of ground that way .

                   

                  A good addition to the documentation would be a page which explains error messages and their solutions. Some of which in run into all the time, for example the `setProperty must be overriden' error. This would of courese be quite a challange, as you've got all the external factors which will make each situation different. But it would be a good starting point.

                   

                  Well anyway thanks again for the help!

                  • 6. Re: Jboss ws-security, client configuration
                    zurchman

                    It finally works!

                     

                    Just curious:

                     

                    Does it still work when you completely disable the logging on the client side?

                    • 7. Re: Jboss ws-security, client configuration
                      asoldano

                      Sidney Zurch wrote:

                       

                      The other thing you might prepare yourself for is that your client may very well work correctly with a sufficient level of debugging. I have a native JBossWS 3.1.1 client that works - as long as WSSecurityDispatcher logs with a level of DEBUG or TRACE!  Go figure.

                       

                      You should move to a more recent version of jbossws, try 3.2.2 for instance. A couple of issues related to this have been fixed.

                      • 8. Re: Jboss ws-security, client configuration

                        Yeah, I tried disabling logging and it worked fine .

                        • 9. Re: Jboss ws-security, client configuration
                          samb1985

                          I also have same issue when I try to run a client:

                           

                          URL securityURL = Main.class.getResource("META-INF/jboss-wsse-client.xml");
                          ((StubExt) port1).setSecurityConfig(securityURL.toExternalForm());
                            ((StubExt) port1).setConfigName("Standard WSSecurity Client", "META-INF/standard-jaxws-client-config.xml");

                           

                          And cast don't work:

                          Exception in thread "main" java.lang.ClassCastException: $Proxy23 cannot be cast to org.jboss.ws.core.StubExt

                           

                          How did you solve it ?

                          • 10. Re: Jboss ws-security, client configuration
                            zurchman

                            Those $Proxy cast exceptions are an indication of a problem with your client Classpath.

                             

                            Note what Tim said above:

                            2) I'm using the JBossWS version included in the jboss 5.1.0 build

                             

                            3) I resolved the class path issue by only including the jars found in de wsrunclient file, plus the ones from the endorsed jboss dir as well as setting the java endorsed library to that same location.

                             

                             

                            It is important that the java.endorsed.dirs property be set to the endorsed directory of your JBoss distribution.

                            • 11. Re: Jboss ws-security, client configuration
                              samb1985

                              What do you intend with java.endorsed.dirs property ?

                               

                              Now in classpath there are all jars of folders lib and client of JBoss 5.1

                              • 12. Re: Jboss ws-security, client configuration
                                zurchman

                                This question for this topic has already been "answered".  It would be best to continue in your original topic:

                                 

                                http://community.jboss.org/message/547810#547810

                                • 13. Re: Jboss ws-security, client configuration
                                  noe_bartino1984

                                  Hi

                                  My Client shows this Exception.

                                  could anybody  help me?

                                   

                                  javax.xml.ws.soap.SOAPFaultException: The security token could not be authenticated or authorized.