1 2 Previous Next 23 Replies Latest reply on Nov 17, 2009 6:00 AM by moa Go to original post
      • 15. Re: WSSE UsernameToken without HTTP basic auth?

        Hi!

        Sorry for the the delay...

        I've tried the new username token support now and it seams to work fine.
        Build info:
        Version: jbossws-native-3.0.6-SNAPSHOT
        Build: 200901151503

        Example of SOAP request:

        POST /lab_1_wsdl_first/HelloService HTTP/1.1
        SOAPAction: ""
        Content-Type: text/xml; charset=UTF-8
        JBoss-Remoting-Version: 22
        User-Agent: JBossRemoting - 2.2.2.SP8
        Host: localhost:8080
        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
        Connection: keep-alive
        Transfer-Encoding: chunked
        
        <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'><env:Header><wsse:Security env:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'><wsu:Timestamp wsu:Id='timestamp'><wsu:Created>2009-01-26T14:36:28.871Z</wsu:Created><wsu:Expires>2009-01-26T14:41:28.871Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id='token-1-1232980588873-16780239'><wsse:Username>someuser</wsse:Username><wsse:Password Type='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText'>somepassword</wsse:Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body><ns1:HelloData xmlns:ns1="http://www.redpill.se/training/ws/hello/HelloService"><helloMessage>Lab1Client</helloMessage></ns1:HelloData></env:Body></env:Envelope>
        


        I.e. no http basic authentication.
        I've added
        <security-domain>java:/jaas/JBossWS</security-domain>
        to jboss-web.xml
        And the following to jboss-wsse-server.xml:
        <jboss-ws-security>
         <config>
         <authorize>
         <unchecked/>
         </authorize>
         </config>
         </jboss-ws-security>
        

        And i can now control access through the conf/props/jbossws-users.properties file.
        Without properly configured credentials I get a message saying:
        "The security token could not be authenticated or authorized."
        So everything seems to be ok this far.

        However, I've noticed that if I do:
        @Resource
        javax.xml.ws.WebServiceContext wsCtx;
        wsCtx.getUserPrincipal() will return null.
        Is this the expected result?


        • 16. Re: WSSE UsernameToken without HTTP basic auth?

          Hi again.

          I noticed another thing when running this test.
          In my service I have system outs in the c-tor and finalizer.
          I've also added postCreate and preDestroy methods with:

           public HelloImpl(){
           System.out.println("HelloServiceImpl created!!!");
           }
           @PostConstruct
           protected void doSetupStuff(){
           System.out.println("HelloImpl PostConstruct +++++!");
           }
          
           @PreDestroy
           protected void doCleanupStuff(){
           System.out.println("HelloImpl PreDestroy ------");
           }
           public void finalize(){
           System.out.println("HelloImpl finalize!!!");
           }
          


          Afaik the postConstruct and predestroy annotations have not been supported on a pojo webservice before, when was this support added?
          Anyway, I can see that the constructor and the postCreate method is called once for each request. But I never see the preDestroy/finalizer being called. The only way getting a call to these methods is to redeploy the service.
          I've tried running explicit GCs using the Server MBean but that does not help.
          What kind of pooling mechanism is being used for the pojo WS implementations?

          Running a client in a loop sending lot's of requests results in jboss running out of memory (after approx 60000 requests).
          Maybe the code was "in a state of flux" when I checked out latest from head?
          I've used JBoss 4.2.3 GA and java 1.5.0_15-b04.


          • 17. Re: WSSE UsernameToken without HTTP basic auth?
            ropalka

             

            "mikaeljl" wrote:

            Afaik the postConstruct and predestroy annotations have not been supported on a pojo webservice before, when was this support added?

            Since JBossWS 3.0.5 release.
            "mikaeljl" wrote:

            Anyway, I can see that the constructor and the postCreate method is called once for each request. But I never see the preDestroy/finalizer being called. The only way getting a call to these methods is to redeploy the service.

            Yes, the POJO endpoint is created for each request.
            It's not shared accross clients.
            We need to check JAXWS spec whether POJO endpoint ccould be shared.


            • 18. Re: WSSE UsernameToken without HTTP basic auth?
              ropalka

              Cross reference issue JBWS-2486.

              • 19. Re: WSSE UsernameToken without HTTP basic auth?

                Hi Richard.

                I do not know if the endpoints can be shared.
                They need to get different
                @Resource
                javax.xml.ws.WebServiceContext
                references (if annotated with it).

                Shared or not, the pojo endpoints need to be released sometime.
                Is it a known problem that the enpoints are not released until the war is redeployed?
                If that is the case it sounds like a memory leak, but maybe I've got something bad in my setup? Am I missing something here?

                Also note my concern about:
                @Resource
                javax.xml.ws.WebServiceContext wsCtx;
                wsCtx.getUserPrincipal() will return null.
                Is this the expected result?

                • 20. Re: WSSE UsernameToken without HTTP basic auth?
                  ropalka

                   

                  "mikaeljl" wrote:
                  Shared or not, the pojo endpoints need to be released sometime.
                  Is it a known problem that the enpoints are not released until the war is redeployed?

                  It's a bug.
                  "mikaeljl" wrote:

                  Also note my concern about:
                  @Resource
                  javax.xml.ws.WebServiceContext wsCtx;
                  wsCtx.getUserPrincipal() will return null.
                  Is this the expected result?

                  This is know issue, see JBWS-2074.

                  • 21. Re: WSSE UsernameToken without HTTP basic auth?

                    Hi again!

                    The web service context is injected OK.
                    wsCtx is not null it's just the user principal object that I try to retrieve from the wsCtx that is null. But maybe this is a result of JBWS-2074?
                    I've not tried it yet but I guess that
                    org.jboss.security.SecurityAssociation.getPrincipal().getName()
                    would work.

                    Is there a JIRA for the memory leak/pojo endpoints never being released problem as well?
                    Or will that problem be handled by JBWS-2486?
                    Have you been able to reproduce the problem, it sound like a significant problem. I've tried removing @pre @post annotated methods but that does not help.

                    /Mikael

                    • 22. Re: WSSE UsernameToken without HTTP basic auth?
                      dlofthouse

                      mikaeljl, for the following: -

                      However, I've noticed that if I do:
                      @Resource
                      javax.xml.ws.WebServiceContext wsCtx;
                      wsCtx.getUserPrincipal() will return null.
                      Is this the expected result?


                      Can you please raise a Jira issue under JBWS and assign it to me and I will review what is happening.


                      • 23. Re: WSSE UsernameToken without HTTP basic auth?
                        moa

                        Hi Mikael and Darran,

                        Sorry for wakening an old thread.

                        We had the same problem with the principal = null over in the STS wiki:
                        http://www.jboss.org/community/wiki/jbosssecuritytokenservice#comment-2075

                        So I have added a JIRA bug for you Darran:
                        https://jira.jboss.org/jira/browse/JBWS-2833

                        1 2 Previous Next