Attaching a WS-Security policy forces use of "Standard WSSecurity Endpoint" configuration
barakka Jan 16, 2011 12:42 PMHello,
I'm trying to use WS-Security with WS-Policy and a custom endpoint configuration in one of my services, but it seems that when the policy is parsed during deployment a standard endpoint configuration is forced.
This is an extract of the relevant parts of my service declaration:
@WebService(...) @SOAPBinding(parameterStyle = SOAPBinding.ParameterStyle.BARE) @BindingType(javax.xml.ws.soap.SOAPBinding.SOAP12HTTP_BINDING) @EndpointConfig(configFile = "META-INF/cmr-basic-endpoint-config.xml", configName = "CMR-basic") @PolicyAttachment( @Policy(policyFileLocation = "META-INF/cmr-basic-security-policy.xml", scope = PolicyScopeLevel.WSDL_BINDING)) public class DOCServiceBasicImpl extends DOCServiceUnsercureImpl {
As you can see, I'd like to use the CMR-basic endpoint config, which I've already setup to use the WS-Security handler, like this
<endpoint-config> <config-name>CMR-basic</config-name> <post-handler-chains> <javaee:handler-chain> <javaee:protocol-bindings>##SOAP12_HTTP</javaee:protocol-bindings> <javaee:handler> <javaee:handler-name>Seam SOAP Request Handler</javaee:handler-name> <javaee:handler-class>org.jboss.seam.webservice.SOAPRequestHandler</javaee:handler-class> </javaee:handler> <javaee:handler> <javaee:handler-name>WSSecurity Handler</javaee:handler-name> <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer</javaee:handler-class> </javaee:handler> </javaee:handler-chain> </post-handler-chains> </endpoint-config>
And I'm trying to attach the following policy:
<wsp:Policy wsu:Id="ws-security" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsrmp="http://docs.oasis-open.org/ws-rx/wsrmp/200702" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsp:ExactlyOne> <wsp:All> <sp:jboss-ws-security xmlns:sp="http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <sp:config> <sp:timestamp ttl="359" /> <sp:requires> </sp:requires> <sp:authenticate> <sp:usernameAuth /> </sp:authenticate> <sp:username /> </sp:config> </sp:jboss-ws-security> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
When the service is deployed, the following error is produced:
18:19:23,415 INFO [org.jboss.ws.extensions.policy.metadata.PolicyMetaDataBuilder] Deploying Annotated Policy = META-INF/cmr-basic-security-policy.xml 18:19:23,590 ERROR [STDERR] org.jboss.ws.WSException: Cannot obtain config: Standard WSSecurity Endpoint 18:19:23,593 ERROR [STDERR] at org.jboss.ws.metadata.config.JBossWSConfigFactory.getConfig(JBossWSConfigFactory.java:165) 18:19:23,593 ERROR [STDERR] at org.jboss.ws.metadata.umdm.EndpointMetaData.initEndpointConfigMetaData(EndpointMetaData.java:874) 18:19:23,593 ERROR [STDERR] at org.jboss.ws.metadata.umdm.EndpointMetaData.createEndpointConfigMetaData(EndpointMetaData.java:841) 18:19:23,593 ERROR [STDERR] at org.jboss.ws.metadata.umdm.EndpointMetaData.setConfigNameInternal(EndpointMetaData.java:823) 18:19:23,593 ERROR [STDERR] at org.jboss.ws.metadata.umdm.EndpointMetaData.setConfigName(EndpointMetaData.java:801) 18:19:23,593 ERROR [STDERR] at org.jboss.ws.extensions.policy.deployer.domainAssertion.WSSecurityAssertionDeployer.deployServerSide(WSSecurityAssertionDeployer.java:69) 18:19:23,593 ERROR [STDERR] at org.jboss.ws.extensions.policy.deployer.PolicyDeployer.deployAssertionServerSide(PolicyDeployer.java:227) 18:19:23,593 ERROR [STDERR] at org.jboss.ws.extensions.policy.deployer.PolicyDeployer.deployAlternativeServerSide(PolicyDeployer.java:195) 18:19:23,594 ERROR [STDERR] at org.jboss.ws.extensions.policy.deployer.PolicyDeployer.deployServerside(PolicyDeployer.java:118) 18:19:23,594 ERROR [STDERR] at org.jboss.ws.extensions.policy.metadata.PolicyMetaDataBuilder.deployPolicyServerSide(PolicyMetaDataBuilder.java:288) 18:19:23,594 ERROR [STDERR] at org.jboss.ws.extensions.policy.metadata.PolicyMetaDataBuilder.deployPolicy(PolicyMetaDataBuilder.java:270) 18:19:23,594 ERROR [STDERR] at org.jboss.ws.extensions.policy.metadata.PolicyMetaDataBuilder.processPolicyAnnotations(PolicyMetaDataBuilder.java:132) 18:19:23,594 ERROR [STDERR] at org.jboss.ws.metadata.builder.jaxws.JAXWSWebServiceMetaDataBuilder.buildWebServiceMetaData(JAXWSWebServiceMetaDataBuilder.java:161) 18:19:23,594 ERROR [STDERR] at org.jboss.ws.metadata.builder.jaxws.JAXWSServerMetaDataBuilder.setupProviderOrWebService(JAXWSServerMetaDataBuilder.java:50) 18:19:23,594 ERROR [STDERR] at org.jboss.ws.metadata.builder.jaxws.JAXWSMetaDataBuilderEJB3.buildMetaData(JAXWSMetaDataBuilderEJB3.java:76) ...
which i believe is caused by the following code in WSSecurityAssertionDeployer:
public void deployServerSide(PrimitiveAssertion assertion, ExtensibleMetaData extMetaData) throws UnsupportedAssertion { ByteArrayOutputStream stream = new ByteArrayOutputStream(); if (extMetaData instanceof EndpointMetaData) { EndpointMetaData ep = (EndpointMetaData) extMetaData; WSSecurityConfiguration securityConfiguration; try { //GET XML of security assertion PrimitiveAssertionWriter.newInstance().writePrimitiveAssertion(assertion, stream); StringReader reader = new StringReader(stream.toString()); //Set security configuration securityConfiguration = WSSecurityOMFactory.newInstance().parse(reader); WSSecurityConfigFactory.newInstance().initKeystorePath(ep.getRootFile(), securityConfiguration); ep.getServiceMetaData().setSecurityConfiguration(securityConfiguration); //set up handler chain as defined in standard file ep.setConfigName("Standard WSSecurity Endpoint"); } catch (Exception e) { e.printStackTrace(); throw new UnsupportedAssertion(); } } }
which, instead of checking if the proper WSSecurity handler is installed, forces the use of "Standard WSSecurity Endpoint" configuration.
Is this expected? Why can't I use my own policy configuration?
Btw, the obvious workaround is to rename my endpoint configuration to "Standard WSSecurity Endpoint", but that is a bit annoying, as I have several configuration that requires WS-Security in combination with other WS-* standards that I use for my services, and this forces me to separate them in several configuration files to be able to replace the "Standard WSSecurity Endpoint" with what I need.
Thanks,
Riccardo.
PS: I'm using a vanilla JBoss 5.1.0.GA, which comes with jbossws 3.1.2.GA, but I've checked the code of the last 3.4 version (3.4.1.GA I believe) and it is the same.