Uploaded image for project: 'JBoss Web Services'
  1. JBoss Web Services
  2. JBWS-2833

WebServiceContext#getUserPrincipal() returns null when a service is protected by "Standard WSSecurity Endpoint"

    XMLWordPrintable

Details

    Description

      When exposing a webservice using the "@WebServiceProvider" annotation, and protecting it with WSSE username token the WebServiceContext#userPrincipal is not set.

      The WEB-INF/jboss-wsse-server.xml is configured as described here:
      http://www.jboss.org/community/wiki/JBossWS-WS-Securityoptions#POJO_Endpoint__Authentication_and_Authorization

      Although this does not really seem to be enough, as it is also required to have META-INF/standard-jaxws-endpoint-config.xml file with only the "Standard WSSecurity Endpoint" on the server to actually enforce the authentication of the username token.

      Attached:

      • wstest.war: example war - exposing one webservice (compiled from the content of server.zip)
      • server.zip: source for the wstest.war
      • client.zip: simple client for the server, sending a username token.

      Reproducing the problem:
      1) deploy wstest.war to a jboss 5.1.0
      2) open the run.sh in the client.zip, and set the JBOSS_5 to fit your installation. It the server is not listening on 8080, modify the url in the client source (WsExampleClient.java).
      3) compile and run the client, by running ./run.sh
      4) inspect the server log. If this says: "[INFO] Principal = null" we have the problem (expected principal = admin)

      Server code:

      • service: server.zip:src/main/java/org/example/WsExample.java
      • wsdl: server.zip:src/main/webapp/WEB-INF/wsdl
      • wsse-config: server.zip:src/main/webapp/WEB-INF/jboss-wsse-server.xml
      • wsse-config2: server.zip:src/main/webapp/META-INF/standard-jaxws-endpoint-config.xml

      It seems that "wsse-config2" is required. If this is not present, it is possible for the client to send any client credentials it want (or leave them out) and it will still get admission to the service.

      Other areas where this has been discussed:

      Should be assigned to Darran Lofthouse.

      Attachments

        1. client.zip
          3 kB
        2. server.zip
          7 kB
        3. wstest.war
          6 kB

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBWS-3096 WebServiceContext#getUserPrincipal() returns null in JBossWS Metro stack when the user is authenticated

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              moa_jira Morten Andersen (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: