3 Replies Latest reply on Dec 23, 2013 9:43 AM by imjorge

    In Interceptors not running for a CXF web service on JBoss 7.1.1

    imjorge

      Hi,

       

      tl;dr; in interceptors are not run and, as such, ws-security is not enforced. this happens in jboss 7.1.1.

       

      I have a project, part of a large solution, that consists of a war with cxf web services. The project is built with cxf and spring and includes, in the beans configuration file, references to interceptors to process the ws-security headers. The problem is that those headers are not being processed and, as such, I get a SOAP response stating:

       

      <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">

         <soap:Body>

            <soap:Fault>

               <soap:Code>

                  <soap:Value>soap:MustUnderstand</soap:Value>

               </soap:Code>

               <soap:Reason>

                  <soap:Text xml:lang="en">MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.</soap:Text>

               </soap:Reason>

            </soap:Fault>

         </soap:Body>

      </soap:Envelope>

       

      Which indicates, IMO, that the interceptors were not run. I have reduced this project to a simple hello world sample (source and war in attach).

       

      Here is the WEB-INF\web.xml:

       

      <?xml version="1.0" encoding="ISO-8859-1"?>

      <!DOCTYPE web-app

        PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"

        "http://java.sun.com/dtd/web-app_2_3.dtd">

       

       

      <web-app>

          <context-param>

                <param-name>contextConfigLocation</param-name>

                <param-value>/WEB-INF/classes/applicationContext.xml</param-value>

          </context-param>

       

          <listener>

              <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

          </listener>

       

          <servlet>

              <servlet-name>CXFServlet</servlet-name>

              <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>

          </servlet>

          <servlet-mapping>

              <servlet-name>CXFServlet</servlet-name>

              <url-pattern>/*</url-pattern>

          </servlet-mapping>

       

       

      </web-app>

       

      The WEB-INF\jboss-deployment-structure.xml:

       

      <?xml version="1.0" encoding="utf-8"?>

      <jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1">

        <deployment>

        <dependencies>

        <module name="org.apache.cxf.impl" export="true">

        <imports>

        <include path="META-INF"/>

        <include path="META-INF/cxf"/>

        </imports>

        <exports>

        <include path="META-INF"/>

        <include path="META-INF/cxf"/>

        </exports>

        </module>       

        <module name="org.apache.cxf" export="true">

        <imports>

        <include path="META-INF"/>

        <include path="META-INF/cxf"/>

        </imports>

        <exports>

        <include path="META-INF"/>

        <include path="META-INF/cxf"/>

        </exports>

        </module>         

        <module name="org.springframework.spring" export="true">

        <imports>

        <include path="META-INF"/>

        </imports>

        <exports>

        <include path="META-INF"/>

        </exports>

        </module>

        <module name="org.apache.ws.security" />

        </dependencies>

        </deployment>

      </jboss-deployment-structure>

       

      I can call the web service, given that no ws-security soap headers are present. This SOAP envelope results in a valid SOAP response:

       

      <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://webservices.hello.test.jorge.com/">

         <soap:Body>

            <web:sayHello>

               <user>test</user>

            </web:sayHello>

         </soap:Body>

      </soap:Envelope>

       

      But not this:

       

      <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://webservices.hello.test.jorge.com/">

         <soap:Header>

        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">

        <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1234567890">

        <wsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">11</wsse:Username>

        <wsse:Password xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">p</wsse:Password>

        </wsse:UsernameToken>

        </wsse:Security>

         </soap:Header>

         <soap:Body>

            <web:sayHello>

               <user>test</user>

            </web:sayHello>

         </soap:Body>

      </soap:Envelope>

       

      The web service is hardcoded (in this sample) to allow username 11 with password p.

       

      My next step would be debugging the CXF stack, since I have not found any difference between this sample and the online documentation.

       

      The stack is composed by:

      • jboss 7.1.1
      • jbossws-cxf-4.1.1 (the most recent version of jbossws-cxf that is compatible with jboss 7.1.1, according to JBossWS - Supported Target Containers)
      • cxf (modules) 2.6.4
      • spring 3.0.7.RELEASE
      • asm 3.3.1

       

      Ideas on what may be wrong?