Problem with securing web service with ws security ( username token )
lmarczuk Sep 6, 2010 7:56 AMHello,
I'am trying to secure web service ( from ejb 3.0 stateless bean) and it is not working.
here is my code :
Bean :
@Stateless
@SOAPBinding(style=SOAPBinding.Style.RPC)
@SecurityDomain("JBossWS")
@EndpointConfig(configName = "Standard WSSecurity Endpoint")
public class HelloBean implements IHello {
@WebMethod
public String sayHello(String aName) {
return "siemanko " + aName;
}
}
// ... some imports @Stateless @SOAPBinding(style=SOAPBinding.Style.RPC) @SecurityDomain("JBossWS") @EndpointConfig(configName = "Standard WSSecurity Endpoint") @WebService(name="Hello",targetNamespace = "http://test",serviceName = "HelloWSSService") public class HelloBean implements IHello { @WebMethod public String sayHello(String aName) { return "siemanko " + aName; } }
interface :
@SOAPBinding(style = SOAPBinding.Style.DOCUMENT) @EndpointConfig(configName = "Standard WSSecurity Endpoint") @WebService(name="Hello",targetNamespace = "http://test",serviceName = "HelloWSSService") public interface IHello { String sayHello( String name); }
In my META-INF folder i put jboss-wsse-server.xml file :
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <config> <timestamp ttl="300"/> <requires/> </config> </jboss-ws-security>
Now i deploy my app on server and i test it from SoapUI.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:test="http://test"> <soapenv:Header/> <soapenv:Body> <test:sayHello> <arg0>?</arg0> </test:sayHello> </soapenv:Body> </soapenv:Envelope>
And anser :
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header> <wsse:Security env:mustUnderstand="1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Timestamp wsu:Id="timestamp"> <wsu:Created>2010-09-06T11:41:38.621Z</wsu:Created> <wsu:Expires>2010-09-06T11:46:38.621Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </env:Header> <env:Body> <test:sayHelloResponse xmlns:test="http://test"> <return>siemanko ?</return> </test:sayHelloResponse> </env:Body> </env:Envelope>
Got any idea why i can't secure my web service like that? i tryid it on jboss 4.2.3 , 5.01, 5.1, and 6 actually i work on 5.0.1 with JBoss Web Services - Native Server 3.3.1.GA.
Mayby i'm skipping some step or jboss-wsse-server.xml is incorect ?
when i put to jboss-wsse-server.xml this :
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <config> <username/> <authenticate> <usernameAuth/> </authenticate> </config> </jboss-ws-security>
Also nothing happend and i'am albe to get response without puting principals in header.
JBossWS is good configured in login-config.xml
Please help.