Its a bit hard to read your email - my guess is it got reformatted somewhere along the line. Are you able to attach a sample project for us to dig into?
Thanks Jon On Fri, Sep 14, 2018 at 12:14 PM capozx <[email protected]> wrote: > Hi, i'm a trying to develop a SOAP web service, but i'm having trouble > authenticating the UsernameToken included in every SOAP message header.My > tomEE server version is tomEE plus 7.0.5.According to the documentation, > WS-SecurityPolicy does the necessary work to handle security, after a > proper > configuration.I do configuration through Endpoint Property Annotations, in > the following way: @WebService(targetNamespace = "http://tempuri.org/";, > name > = "MyService")@EndpointProperties(value = { @EndpointProperty(key = > "ws-security.callback-handler", value = > "org.tempuri.ServerPasswordCallback") //@EndpointProperty(key = > "ws-security.validate.token", value = "false") })public interface > MyService {...}The ServerPasswordCallback is:public class > ServerPasswordCallback implements CallbackHandler { public > ServerPasswordCallback() { System.out.println("Instantiating > ServerPasswordCallback"); } public void handle(Callback[] callbacks) > throws IOException, UnsupportedCallbackException { > System.out.println("Validating on ServerPasswordCallback"); > WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; if > (pc.getIdentifier().equals("joe")) { // set the password on the > callback. This will be compared to the // password which was > sent > from the client. pc.setPassword("password"); } }}The > problem is that i get the following exception:Caused by: > org.apache.wss4j.common.ext.WSSecurityException: The security token could > not be authenticated or authorized at > > org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:176) > at > > org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:136) > at > > org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:94)The > sent message's header is: <?xml version="1.0"?> joe > password > ey+3J+OKoHlhfqREn7Q8jw== 2018-09-14T10:59:10.459Z > 2018-09-14T10:59:10.459Z 2018-09-14T10:59:15.459Z The strange > thing is that seems that ServerPasswordCallback is never instantiated, and > handle() is never called.If in the Endpoint properties annotations i set > ws-security.validate.token to false, the former Exception is thrown, even > if > thisproperty should prevent Token validation.That fact make me think that > annotations are not working, but i can't figure out why.Is this the correct > way of authenticating a UsernameToken?Are the Endpoint properties > annotations correct? > > > > -- > Sent from: > http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
