Hello, I try to set up a Soap transaction with wss4j 1.5.4 and Axis (1.4 or 1.2) using a UsernameToken password. The trouble is that the request is processed even with a bad user or password in PasswordText mode.
I spent much time changing parameters or jar, reading documentation and searching the web, but I found nothing. Can anyone help? I am sure the solution must be quite simple, but it is the first time I use wss4j ... Thanks. Daph Here is all information about this project. I did the following tests: - without soapenv header the request is rejected (WSDoAllReceiver: Request does not contain required Security header) - in PasswordDigest mode all requests are rejected, even with correct user/password (WSSecurityException: The security token could not be authenticated or authorized) At first I try to use the PasswordText mode, and here is my server-config.wsdd file (I changed some namespaces and names): <deployment xmlns="http://xml.apache.org/axis/wsdd/"; xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> <globalConfiguration> <parameter name="sendMultiRefs" value="true"/> <parameter name="disablePrettyXML" value="true"/> <parameter name="adminPassword" value="admin"/> <parameter name="attachments.Directory" value="/exec/jonas/v486/webapps"/> <parameter name="dotNetSoapEncFix" value="true"/> <parameter name="enableNamespacePrefixOptimization" value="false"/> <parameter name="sendXMLDeclaration" value="true"/> <parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/> <parameter name="sendXsiTypes" value="true"/> <requestFlow> <handler type="java:org.apache.axis.handlers.JWSHandler"> <parameter name="scope" value="session"/> </handler> <handler type="java:org.apache.axis.handlers.JWSHandler"> <parameter name="scope" value="request"/> <parameter name="extension" value=".jwr"/> </handler> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" > <parameter name="passwordCallbackClass" value="com.myAppli.ws.PWCallback"/> <parameter name="action" value="UsernameToken"/> <parameter name="user" value="user"/> <parameter name="passwordType" value="PasswordDigest"/> <!--<parameter name="passwordType" value="PasswordText"/>--> </handler> </requestFlow> </globalConfiguration> <handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/> <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/> <!-- Services from WSDL --> <service name="ExternalManagementPort" provider="java:RPC" style="wrapped" use="literal"> <parameter name="wsdlTargetNamespace" value="uri://myAppli/1.0"/> <parameter name="wsdlServiceElement" value="ExternalManagementService"/> <parameter name="schemaQualified" value="urn:com.serviceconf"/> <parameter name="schemaUnqualified" value="uri://myAppli/-xp/types/1.0,uri://myAppli/1.0,uri://myAppli/types/1.0"/> <parameter name="wsdlServicePort" value="ExternalManagementPort"/> <parameter name="className" value="com.myAppli.messages.ExternalManagementSoapBindingSkeleton"/> <parameter name="wsdlPortType" value="ExternalManagement"/> <parameter name="typeMappingVersion" value="1.2"/> <parameter name="allowedMethods" value="*"/> … <transport name="http"> <requestFlow> <handler type="URLMapper"/> <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/> </requestFlow> <parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/> <parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/> <parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/> <parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/> <parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/> <parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/> </transport> <transport name="local"> <responseFlow> <handler type="LocalResponder"/> </responseFlow> </transport> </deployment> And the PWCallback class (logs are processed): package com.myAppli.ws; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.log4j.Logger; import org.apache.ws.security.WSPasswordCallback; import org.apache.axis.MessageContext; import org.apache.axis.message.SOAPEnvelope; import javax.xml.soap.SOAPMessage; public class PWCallback implements CallbackHandler { private static Logger logger = Logger.getLogger(PWCallback.class.getName()); public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { logger.debug("Inside PWCallback.handle"); for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; String user = pc.getIdentifer(); pc.setPassword("testpass"); logger.debug("Callback found, usage " + pc.getUsage() + ", user " + user); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } } The request (sent with soap-ui for testing) looks like: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:urn="urn:gccsca.francetelecom.com.serviceconf"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <wsse:UsernameToken> <wsse:Username>SLSd</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>testpasstttt</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> The application is deployed through Jonas (v4.8.6 on linux RedHat 5, or v4.9.2 on Windows XP). I put also here a list of jar files included in the war. I am not sure of all versions (except those for wss4j). Maybe it can help … At first I used Axis 1.2, I tried to update to Axis 1.4, then I added some other jar files that could be used. activation.jar - addressing-1.0.jar axis-1.4.jar - axis-ant-1.4.jar - axis-jaxrpc-1.4.jar - axis-saaj-1.4.jar bcprov-jdk13-132.jar classes12.jar commons-beanutils.jar - commons-codec-1.3.jar - commons-collections.jar - commons-discovery-0.2.jar - commons-httpclient-3.0-rc2.jar commons-lang.jar - commons-logging-1.0.4.jar - commons-pool.jar - commons-validator.jar dom4j.jar junit-3.8.1.jar - log4j-1.2.9.jar mail.jar - opensaml-1.0.1.jar optional.jar - ostermillerutil.jar - regexp.jar serializer-2.7.0.jar - wsdl4j-1.5.1.jar - wss4j-1.5.4.jar xalan-2.7.0.jar - xercesImpl.jar - xml-apis.jar - xmlParserAPIs.jar - xmlsec-1.4.0.jar -- View this message in context: http://www.nabble.com/WSSE-UsernameToken%3A-accepts-all-user-password-tp19535971p19535971.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
