[jboss-user] [JBossWS] - Re: Implementing WS-Security Usename Token Profile Authentic

Thu, 14 May 2009 07:17:01 -0700 

Hi, 

I've tested the authentication using Digest Password

1. JBoss AS 5.0.1.GA
2. JBOSS WS native 3.0.5.GA
3. WebService is implemented using an EJB3 Endpoint.
4. Client is generated using standard JAXWS (with maven) but executed using 
jbossws-native-client
5. JDK 6 (using -Djava.endorsed.dirs=${jboss.home}/lib/endorsed during client 
execution)
6. Username Token is configured to produce a PasswordDigest and not a clear 
password.

Everything works fine using the jboss-native-client 

2 problems appears also :

1. If I'm using SOAPUI to generate a SOAP call, in the server side, password 
does not match. (If I'm using a configuration with no digest, the SOAPUI call 
works fine). I assume there is a difference between the SOAPUI generated Digest 
and the JBoss generated Digest but what is this difference ?

2. The way to put UserName and Password on the client side is : 

 
  | AuthenticationService_Service service = new AuthenticationService_Service();
  | AuthenticationService port = service.getAuthenticationService();
  | 
  | ((StubExt) port).setConfigName("Standard WSSecurity Client");
  | 
  | Map<String, Object> reqContext = 
((BindingProvider)port).getRequestContext();
  | reqContext.put(BindingProvider.USERNAME_PROPERTY, "kermit");
  | reqContext.put(BindingProvider.PASSWORD_PROPERTY, "thefrog");
  | 
  | String connectedUser = port.getConnectedUserIdentifier();
  | logger.info("Connected user : " + connectedUser);
  | assertTrue(connectedUser.equals("kermit"));
  | 

Then the WSSecurityHandlerClient take this HTTP header information to generate 
the correct wsse SAOP header assertion, calculating a password digest of the 
clear password provided. The problem is that the HTTP header information is not 
removed and is visible clearely in the HTTP header... So the password is well 
encoded using a digest in the SOAP header but not in the HTTP header. Is it an 
issue or is there any other way to give Username/Password information to the 
WSSecurityHandlerClient ?

3. Is there is some code sample that show how to use SAML instead of 
Usernam/Token ?

If you capture trames using Wireshar

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4231089#4231089

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4231089
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to