Hi Xinjun, Unfortunately the security sample in 0.94 is broken :-(
Please try the security sample provided in Axis2 0.95 http://ws.apache.org/axis2/download.cgi AND please make sure you use the security sample provided separately in the distribution. BTW looking at your exception trace I think you are using JDK 1.5 and if so 1.) please follow the instructions in "General -> #3" in the Axis2 faq [1]. 2.) you will need to have xalan-2.6.jar in the client's classpath and in the axis2/WEB-INF/li dir as well. Thanks, Ruchith [1] http://ws.apache.org/axis2/download.cgi On 4/6/06, Xinjun Chen <[EMAIL PROTECTED]> wrote: > Hi Ruchith, > > I am really very very grateful to your enlighting explanation and > clarification. > I will go ahead with it. I just tried the security sample with the > attached error message. I have already followed the steps in the > ReadMe file in security sample folder. The following is the snippet of > the error message. The full error message is attached. > I will try Axis2 0.95 security at meanwhile. > The original exception is BadPaddingException. Did i missed something? > As mentioned, I have followed the instruction in the read me file. > > > F:\download\axis2\axis2-std-0.94-bin\samples\security\src>java > sample.security.C > lient ..\client_repo 8080 > org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: WSDoAllReceiver: > securit > y processing failed; nested exception is: > org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt > data; > nested exception is: > org.apache.xml.security.encryption.XMLEncryptionException: pad block > cor > rupted > Original Exception was javax.crypto.BadPaddingException: pad block corrupted > at > org.apache.axis2.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java > :165) > at org.apache.axis2.engine.Phase.invoke(Phase.java:376) > > > Regards, > Xinjun > > > On 4/6/06, Ruchith Fernando <[EMAIL PROTECTED]> wrote: > > Hi Xinjun, > > > > Please see my inline comments: > > > > On 4/6/06, Xinjun Chen <[EMAIL PROTECTED]> wrote: > > > When testing the Axis2 0.94 security module, I have some questions > > > regarding client side configuration. I raised the following question > > > after reading the webpage > > > http://ws.apache.org/axis2/0_94/security-module.html. > > > > I recommend you to use the 0.95 security.mar and please note that the > > Axis2 repository structure is different in 0.95. > > > > > > > > 1. The page mentions that client side configuration parameters can be > > > set in the axis2.xml of the client's Axis2 repository. > > > My question is is this referring to the directory > > > \axis2-std-0.94-bin\repository\services ? > > > It is initially empty. What will be the root element in the client > > > respository axis2.xml? Could you help me to get some sample client > > > side configuration? > > > > When you have to engage a client side module you will have to use an > > Axis2 repository. > > This repository just have to be a specific directory structure. Following > > is the > > Axis2 repository structure for a client if you are using 0.95 or the > > current SVN snapshot. > > > > repo_dir <- This is the repo directory name and can be anything and can be > > | anywhere in your dick where you have permission :-). > > | > > +--conf > > | | > > | +-- axis2.xml > > | > > +--modules <- This directory contains .mar files > > | > > +-- security.mar > > > > > > Now when you create a ServiceClient you can supply the configuration > > context created using the configured using the repo dir. > > > > If you have a look at the souce of the security sample's client [1] > > you can see how this is done. (lines: 48, 49) > > > > Now the you will have to have following XML entries in the axis2.xml > > that is in the client's repo's conf dir > > > > <!--Enagege the security module --> > > > > <module ref="security" /> > > > > <!-- Configure the security module to include a username token in the msg > > --> > > > > <parameter name="OutflowSecurity"> > > <action> > > <items>UsernameToken</items> > > <user>your_user_name</user> > > <passwordCallbackClass>callback.hancler.Class</passwordCallbackClass> > > <passwordType>PasswordText</passwordType> > > </action> > > </parameter> > > > > The above parameter will include a username token in the security > > header in the request message. The username will be "your_user_name" > > and the password will be picked up using the callback.hancler.Class. > > You will have to write this class which is an impl of the > > java.auth.Callback interface. And you will have to set the password > > into the WSPasswordCallback objects that is given into the handle() > > method. Example: [2] > > > > Now you have your client side configured properly :-) > > > > > > > > 2. If a developer only downloaded WAR distribution and put the war > > > inside the Tomcat webapps folder. Can he/she still configure the > > > client side? How? > > > > YES > > The client side it independent from the services and there's no need > > for anyone to use the same repository that is available inside tomcat > > when the war is expanded. > > > > One can configure the services' security by configuring the axis2.xml > > available in the WEB-INF/con dir in the war to include the > > <module ref="security" /> entry AND by including the configuration > > parameters in each service's services.xml file. > > > > > > > > 3. The page mentioned per service level security configuration. Could > > > you also provided some details? My understanding is that the security > > > configuration (security policy and security information) will be read > > > by the WSDoAllHandler inside the security.module. I checked both > > > WSDoAllSender and WSDoAllReceiver, but could not figure out where how > > > can WSDoAllHandler find out the security configuration file. > > > > We do not processes WS-securityPolicy yet. And we use two parameters to > > configure the security module as explained here [3]. > > When configuring security for services you can include these elements in > > in the services.xml of each of those services as children of the document > > element ("service" element). Then each request directed at any of the > > operations of the service are expected to be secured as configured. > > > > HandlerParameterDecoder.processParameters() method is used to extract > > information from these parameters. This is used in both WSDoAll* handlers. > > > > > > > > 4. As for the PasswordCallbackClass, is it possible to use the same > > > PasswordCallbackClass for both client and server if I combine the > > > client and server into the Axis2 installation in Tomcat? > > > > yes > > > > > > > > 5. Does Axis2 security module allow plain username and password for > > > authentication? Can I specify the username and password inside the > > > configuration? > > > > > yes it allows plain text password and the username is anyway plain text. > > > > You will have to specify the username in the configuration parameter > > but you cannot specify the password in the configuration. You will > > have to use the PasswordCallbackClass to provide the password for a > > given username. > > > > Thanks, > > Ruchith > > > > p.s. > > Once again ... I recommend you to use the 0.95 or the current SVN and > > please note that you will have to include the following jars in the > > client's classpath and if you are using secured services in Tomcat : > > in the axis2/WEB-INF/lib dir: > > > > bcprov-jdk13-131.jar > > commons-discovery-0.2.jar > > wss4j-SNAPSHOT.jar > > xmlsec-1.2.1.jar > > > > [1] > > https://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/samples/src/sample/security/Client.java > > [2] > > https://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/samples/src/sample/security/PWCallback.java > > [3] http://ws.apache.org/axis2/0_95/security-module.html > > > > >