stackoom
  简体   繁体   中英

Problem authenticating SOAP usernameToken with Apache CXF

 原文  2018-09-17 11:39:18       java/ soap/ cxf/ ws-security

Question

I'm trying to develop a SOAP web service under Apache CXF 3.0.4 , but i'm having trouble authenticating the UsernameToken included in every SOAP message header using WS-SecurityPolicy. According to the documentation , WS-SecurityPolicy is automatically enabled if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath . It does the necessary work to handle security, after a proper configuration. I do configuration through Endpoint Property Annotations, in the following way: 

@WebService(targetNamespace = "http://tempuri.org/", name = "MyService")

@EndpointProperties(value = {
        @EndpointProperty(key = "ws-security.callback-handler", value = "org.tempuri.ServerPasswordCallback")
        //@EndpointProperty(key = "ws-security.validate.token", value = "false")
    }
)


public interface MyService {
...
}

The ServerPasswordCallback is: 

public class ServerPasswordCallback implements CallbackHandler {

    public ServerPasswordCallback() {
        System.out.println("Instantiating ServerPasswordCallback");
    }

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {

        System.out.println("Validating on ServerPasswordCallback");

        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

        if (pc.getIdentifier().equals("joe")) {
            // set the password on the callback. This will be compared to the
            // password which was sent from the client.
            pc.setPassword("password");
        }
    }

}

The problem is that i get the following exception: 

Caused by: org.apache.wss4j.common.ext.WSSecurityException: The security token could not be authenticated or authorized
        at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:176)
        at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:136)
        at org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:94)

The sent message's header is: 

<?xml version="1.0"?>
<soapenv:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:UsernameToken wsu:Id="UsernameToken-3B91E43693FA4F34C61536922750459149">
      <wsse:Username>joe</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
      <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">ey+3J+OKoHlhfqREn7Q8jw==</wsse:Nonce>
      <wsu:Created>2018-09-14T10:59:10.459Z</wsu:Created>
    </wsse:UsernameToken>
    <wsu:Timestamp wsu:Id="TS-3B91E43693FA4F34C61536922750459148">
      <wsu:Created>2018-09-14T10:59:10.459Z</wsu:Created>
      <wsu:Expires>2018-09-14T10:59:15.459Z</wsu:Expires>
    </wsu:Timestamp>
  </wsse:Security>
</soapenv:Header>

The strange thing is that seems that ServerPasswordCallback is never instantiated, and handle() is never called. If in the Endpoint properties annotations i set ws-security.validate.token to false , the former Exception is thrown, even if this property should prevent Token validation. That fact make me think that annotations are not working, but i can't figure out why. Is this the correct way of authenticating a UsernameToken ? Are the Endpoint properties annotations correct?

NB I can't set Endpoint properties like suggested in the documentation because I have not access to Endpoint instance. A sample project is available here

1 answers

solution1
 0 ACCPTED  2018-09-20 09:39:44

Finally I figured out a solution: 

@WebService(targetNamespace = "http://tempuri.org/", name = "MyService")

@EndpointProperties(value = {
        @EndpointProperty(key = "webservice.security.authMethod", value = "WS-SECURITY")
        @EndpointProperty(key = "ws-security.callback-handler", value = "org.tempuri.ServerPasswordCallback")
    }
)


public interface MyService {
...
}

In order to make the annotations working, it's necessary to include the following annotation in the EndpointProperties: 

@EndpointProperty(key = "webservice.security.authMethod", value = "WS-SECURITY")

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SOAP security header with UsernameToken and SecurityContextToken - CXF WS-Security UsernameToken with Apache CXF webservice SOAP UsernameToken CXF not send username/password on each requests apache camel cxf soap Problem with passing SOAP headers using Apache CXF client UsernameToken WS-Security with Apache CXF Annotations (WSS4J) Apache cxf + soap anonymous addressing SOAP over WebSockets in Apache CXF? Vaadin with Apache CXF SOAP service Access is denied Apache CXF SOAP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM