Re: [Axis2] rampart problem using WS-SECURITY

Thu, 16 Nov 2006 21:31:36 -0800 

Dave Meier wrote:

Hi Kaushalye,

I've got this all working now.  Thanks for all your help.

Not a problem :)

I have a question:  Is there a way to get the userid that was passed in
the Security header from inside the server side implementation of a web
service method?
Yes. You can get the SOAP envelope from the msg ctx. And then get the Security header and process the Usernametoken. You can get the logic by going thru the invoke() method of rampart_in_handler.c 
Basically, I want to have my callback dll authenticate, but in my
business logic on the server (a different dll), I still need to know
what the userid is in order to perform the actions in the context of
that user.  I don't really care about the password as I know at that
point that the client side has passed in the correct password, since it
matches what I return from my callback dll.
In future I will try to insert security results as properties (e.g. user id) to the message context after processing a security header, so that we don't need to repeat the same processing in the service. 
Thanks!

-Dave.

-----Original Message-----
From: Kaushalye Kapuruge [mailto:[EMAIL PROTECTED] Sent: Thursday, November 16, 2006 12:17 AM 
To: Apache AXIS C User List
Subject: Re: [Axis2] rampart problem using WS-SECURITY

Hi Dave,
Usernametoken building precess can be failed for following reasons.
1. Failure to specify the password either using Axis2 property
"password" or using a callback module. (I think you are using callbacks)
2. Failure to specify callback module (path) correctly.
3. Failure to load the callback module (DLL  in your case) correctly.
4. There is no such user in the system. i.e.  The callback module cannot
give a password for the user specified.

If you can send the debug trace I might be able to identify where
exactly the error is. I'll try to include more detailed log entries than
this to make the debugging more easier.
Cheers,
Kaushalye


Dave Meier wrote:

Hi Kau,

Sorry, I did some more testing back without using rampart.  At first I
was getting the same error that showed with rampart. After some fiddling around I got that working again and then set it up with Rampart again. Now I don't get the same error but it is failing with A
different error "[rampart][rampart_out_handler] UsernmaeToken build failed. ERROR": 

[Tue Nov 14 21:42:32 2006] [info]  [rampart][rampart_in_handler]Inflow
Security found
[Tue Nov 14 21:42:32 2006] [info] [rampart][rampart_in_handler] Validating UsernameToken [Tue Nov 14 21:42:32 2006] [info] [rampart][rampart_in_handler] Validating UsernameToken SUCCESS [Tue Nov 14 21:42:32 2006] [info] [rampart][rampart_in_handler] Validating
Timestamp [Tue Nov 14 21:42:32 2006] [info] [rampart][rampart_in_handler] Validating Timestamp is SUCCESS [Tue Nov 


14 21:42:32 2006] [debug]
..\..\modules\core\engine\engine.c(762) Invoking phase Dispatch [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler addressing_based_dispatcher within the phase Dispatch [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\addr_disp.c(108) Checking for service using WSA enpoint address : http://localhost:8181/axis2/services/ttwebservices 
[Tue Nov 14 21:42:32 2006] [debug]
..\..\modules\core\engine\addr_disp.c(138) Service found using WSA enpoint address [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler request_uri_based_dispatcher within the phase Dispatch [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler soap_action_based_dispatcher within the phase Dispatch [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\soap_action_disp.c(108) Checking for operation using SOAPAction : 
[Tue Nov 14 21:42:32 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler soap_message_body_based_dispatcher within the phase Dispatch [Tue Nov 14 21:42:32 2006] [debug] 
..\..\modules\core\engine\soap_body_disp.c(198) Checking for operation



using SOAP message body's first child's local name : CreatePrimaryItem



[Tue Nov 14 21:42:32 2006] [debug]
..\..\modules\core\engine\soap_body_disp.c(207) Operation found using SOAP message body's first child's local name [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase PostDispatch [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler dispatch_post_conditions_evaluator within the phase PostDispatch [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler context_handler within the phase PostDispatch [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase PolicyDetermination [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase PolicyDetermination [Tue Nov 14 21:42:32 2006] [debug] 
..\..\modules\core\engine\engine.c(762) Invoking phase MessageOut [Tue



Nov 14 21:42:32 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler AddressingOutHandler within the phase MessageOut [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler RampartOutHandler within the phase MessageOut [Tue Nov 14 21:42:32 2006] [info] [rampart][rampart_out_handler] building UsernmaeToken [Tue Nov 14 21:42:32 2006] [info] [rampart][rampart_out_handler] UsernmaeToken build failed. ERROR [Tue Nov 14 21:42:32 2006] [debug] ..\..\modules\core\engine\engine.c(445) Axis2 engine receive successful [Tue Nov 14 21:42:32 2006] [debug] 
..\..\modules\core\engine\engine.c(762) Invoking phase MessageOut [Tue



Nov 14 21:42:32 2006] [info]  Request served successfully

Thanks,

-Dave.

-----Original Message-----
From: Dave Meier [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 14, 2006 9:27 PM
To: Apache AXIS C User List
Subject: RE: [Axis2] rampart problem using WS-SECURITY

Hi Kau,

1.  I used the Inflow/Outflow parameters like what is in the samples:
    <!--Rampart configurations START       -->
    <parameter name="OutflowSecurity">
      <action>
        <items>UsernameToken  Timestamp</items>
        <user>BILL</user>
        <passwordType>passwordText</passwordType>
<passwordCallbackClass>D:/ttaxiswsse/Debug/ttwebserviceswsse.dll</pass 
wo
rdCallbackClass>
        <timeToLive>360</timeToLive>
      </action>
</parameter> 

    <parameter name="InflowSecurity">
      <action>
        <items>UsernameToken Timestamp</items>
<passwordCallbackClass>D:/ttaxiswsse/Debug/ttwebserviceswsse.dll</pass 
wo
rdCallbackClass>
      </action>
    </parameter>
<!--Rampart configurations END -->
2. Here is the trace of incoming and outgoing soap. I am using Visual Studio 2005 C# for the client side: 

Incoming:
<?xml version="1.0" encoding="utf-8" ?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
se
curity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
ec
urity-utility-1.0.xsd">
    <soap:Header>
        <wsa:Action />
<wsa:MessageID>urn:uuid:527b7049-198f-4725-a2d7-bc861b4d36b3</wsa:Mess 
ag
eID>
        <wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/ano 
ny
mous</wsa:Address>
        </wsa:ReplyTo>
<wsa:To>http://localhost:8181/axis2/services/ttwebservices</wsa:To> 
        <wsse:Security soap:mustUnderstand="1">
            <wsu:Timestamp
wsu:Id="Timestamp-f4f3626e-2c6f-4c69-b280-df0c2bf0ad3b">
                <wsu:Created>2006-11-15T05:22:08Z</wsu:Created>
                <wsu:Expires>2006-11-15T05:23:08Z</wsu:Expires>
            </wsu:Timestamp>
            <wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
ec
urity-utility-1.0.xsd"
wsu:Id="SecurityToken-b7689ab1-70e9-4472-8386-0880eb2180fe">
                <wsse:Username>bill</wsse:Username>
                <wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username
-t oken-profile-1.0#PasswordText">b</wsse:Password>
                <wsse:Nonce>vVR7Rzg8oLtLfg5NjxWV1g==</wsse:Nonce>
                <wsu:Created>2006-11-15T05:22:08Z</wsu:Created>
            </wsse:UsernameToken>
        </wsse:Security>
    </soap:Header>
    <soap:Body>
        <CreatePrimaryItem xmlns="urn:ttwebservices">
            <auth>
                <userId xsi:nil="true" />
                <password xsi:nil="true" />
                <hostname xsi:nil="true" />
            </auth>
            <projectID>16</projectID>
            <item>
                <genericItem>
                    <itemID xsi:nil="true" />
                    <itemName>BUG</itemName>
                </genericItem>
                <classification>Image Builder</classification>
                <title>my title</title>
                <description>my desc</description>
                <createdBy>bill</createdBy>
                <createDate>2006-01-01T00:12:12</createDate>
                <modifiedBy>bill</modifiedBy>
                <modifiedDate>2006-01-01T00:12:12</modifiedDate>
                <activeInactive>true</activeInactive>
                <state>Waiting</state>
                <owner>joe</owner>
                <extendedFieldList>
                    <name>FOUND_IN_VERSION</name>
                    <value>v1.1</value>
                </extendedFieldList>
                <extendedFieldList>
                    <name>FUNCTIONAL_AREA</name>
                    <value>Help</value>
                </extendedFieldList>
            </item>
        </CreatePrimaryItem>
    </soap:Body>
</soap:Envelope>

Outgoing:
<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> 
    <soapenv:Header />
    <soapenv:Body />
</soapenv:Envelope>
When I use the same client code without WS-SECURITY and take rampart out of the axis2.xml, my web service method does get called and everything gets returned correctly to the client. 

Thanks,

-Dave.

-----Original Message-----
From: Kaushalye Kapuruge [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 14, 2006 9:02 PM
To: Apache AXIS C User List
Subject: Re: [Axis2] rampart problem using WS-SECURITY

Hi,
I need some information from you to figure out what exactly is the problem.
1. Have you specified the Outflow/InflowSecurity parameters correctly using axis2.xml If you have any questions on this do not hesitate to ask me. Have a look at the sample axis2.xml file in rampart/samples/client/echo/data/un_ts_axis2.xml. 2. Is it possible to send a trace of outgoing message. (You may use TCPMonitor for this)
BTW from log entries I can see that Rampart has done the validation correct. But in the message building has failed in the server side. This "might" be due to improper settings in the server side. Try the latest code. But do not use the encryption yet:) It is still under 
development.

Cheers,
Kau


Dave Meier wrote:

Hi,
Okay, I got the latest code. I had to add "#include <oxs_xml_encryption.h>" to the rampart_encryption.c file in order to get it to link on Windows. Now it returns an empty message as it's not invoking my service method:
<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> 
    <soapenv:Header />
    <soapenv:Body />
</soapenv:Envelope>

The log below shows "[error]
..\..\modules\core\receivers\raw_xml_in_out_msg_recv.c(114) Impl object for service 'ttwebservices' not set in message receiver. 0 :: 
No Error".
Please let me know if there is something I am doing wrong. I'll go look at the source code to see if I can figure it out.
[Tue Nov 14 11:24:07 2006] [info] [rampart][rampart_in_handler]Inflow 
Security found
[Tue Nov 14 11:24:07 2006] [info] [rampart][rampart_in_handler] Validating UsernameToken [Tue Nov 14 11:24:07 2006] [info] [rampart][rampart_in_handler] Validating UsernameToken SUCCESS [Tue Nov 14 11:24:07 2006] [info] [rampart][rampart_in_handler] Validating
Timestamp [Tue Nov 14 11:24:07 2006] [info] [rampart][rampart_in_handler] Validating Timestamp is SUCCESS [Tue Nov 
14 11:24:07 2006] [debug]
..\..\modules\core\engine\engine.c(762) Invoking phase Dispatch [Tue Nov 14 11:24:07 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler addressing_based_dispatcher within the phase Dispatch [Tue Nov 14 
11:24:07 2006] [debug]
..\..\modules\core\engine\addr_disp.c(108) Checking for service using



WSA enpoint address :
http://localhost:8181/axis2/services/ttwebservices
[Tue Nov 14 11:24:07 2006] [debug]
..\..\modules\core\engine\addr_disp.c(138) Service found using WSA enpoint address [Tue Nov 14 11:24:07 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler request_uri_based_dispatcher within the phase Dispatch [Tue Nov 14 
11:24:07 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler soap_action_based_dispatcher within the phase Dispatch [Tue Nov 14 
11:24:07 2006] [debug]
..\..\modules\core\engine\soap_action_disp.c(108) Checking for operation using SOAPAction : 
[Tue Nov 14 11:24:07 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler soap_message_body_based_dispatcher within the phase Dispatch [Tue Nov 
14 11:24:07 2006] [debug]
..\..\modules\core\engine\soap_body_disp.c(198) Checking for operation
using SOAP message body's first child's local name : CreatePrimaryItem 
[Tue Nov 14 11:24:07 2006] [debug]
..\..\modules\core\engine\soap_body_disp.c(207) Operation found using
SOAP message body's first child's local name [Tue Nov 14 11:24:07 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase PostDispatch [Tue Nov 14 11:24:07 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler dispatch_post_conditions_evaluator within the phase PostDispatch [Tue 


Nov 14 11:24:07 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler context_handler within the phase PostDispatch [Tue Nov 14 11:24:07 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase PolicyDetermination [Tue Nov 14 11:24:07 2006] [error] ..\..\modules\core\receivers\raw_xml_in_out_msg_recv.c(114) Impl object for service 'ttwebservices' not set in message receiver. 0 :: 
No Error [Tue Nov 14 11:24:07 2006] [debug]
..\..\modules\core\engine\engine.c(445) Axis2 engine receive successful [Tue Nov 14 11:24:07 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase MessageOut [Tue 
Nov 14 11:24:07 2006] [info]  Request served successfully

Thanks,

-Dave.

-----Original Message-----
From: Dave Meier [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 14, 2006 7:35 AM
To: Apache AXIS C User List
Subject: RE: [Axis2] rampart problem using WS-SECURITY

Thanks for the quick fix - I'll go try it out right now.
I am using Visual Studio 2005 C# on the client side. We'll be supporting C#, Axis2 Java and Axis2C for our client side implementations. Other projects here already use Axis2 for Java. 

-Dave.

-----Original Message-----
From: Kaushalye Kapuruge [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 14, 2006 1:24 AM
To: Apache AXIS C User List
Subject: Re: [Axis2] rampart problem using WS-SECURITY

Kaushalye Kapuruge wrote:

Dave Meier wrote:
I have the rampart module hooked up and my password callback is called correctly. But after successful validation, my web service method does not get called. Instead I get back the following 
response:
<?xml version="1.0" encoding="UTF-8" ?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> 
    <soapenv:Header />
    <soapenv:Body>
        <soapenv:Fault>
            <faultcode>soapenv:MustUnderstand</faultcode>
            <faultstring>Header not understood</faultstring>
        </soapenv:Fault>
    </soapenv:Body>
</soapenv:Envelope>

This occurs after the userid and password have already been

validated.

Here are the log entries:

[Mon Nov 13 17:01:14 2006] [debug]
..\..\modules\core\transport\http\http_worker.c(204) Client HTTP version 
HTTP/1.1
[Mon Nov 13 17:01:14 2006] [debug]
..\..\axiom\src\soap\soap_builder.c(840) Identified soap version is
soap11
[Mon Nov 13 17:01:14 2006] [debug]
..\..\modules\core\engine\engine.c(762) Invoking phase TransportIn [Mon Nov 13 17:01:14 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase PreDispatch [Mon Nov 13 17:01:14 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler AddressingInHandler within the phase PreDispatch [Mon Nov 13 
17:01:14

2006] [info]  Starting addressing in handler .........
[Mon Nov 13 17:01:14 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler RampartInHandler within the phase PreDispatch [Mon Nov 13 17:01:14 2006] [info] [rampart][rampart_in_handler]Inflow 
Security found
[Mon Nov 13 17:01:14 2006] [info] [rampart][rampart_in_handler] Validating UsernameToken [Mon Nov 13 17:01:14 2006] [info] [rampart][rampart_in_handler] Validating UsernameToken SUCCESS [Mon
Nov 13 17:01:14 2006] [info] [rampart][rampart_in_handler] Validating Timestamp [Mon Nov 13 17:01:14 2006] [info] [rampart][rampart_in_handler] Validating Timestamp is SUCCESS [Mon Nov 13 17:01:14 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase Dispatch [Mon 
Nov 13 17:01:14 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler addressing_based_dispatcher within the phase Dispatch [Mon Nov 13 
17:01:14 2006] [debug]
..\..\modules\core\engine\addr_disp.c(99) Checking for service using 
WSA enpoint address :
http://localhost:8181/axis2/services/ttwebservices
[Mon Nov 13 17:01:14 2006] [debug]
..\..\modules\core\engine\addr_disp.c(129) Service found using WSA enpoint address [Mon Nov 13 17:01:14 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler request_uri_based_dispatcher within the phase Dispatch [Mon Nov 13 
17:01:14 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler soap_action_based_dispatcher within the phase Dispatch [Mon Nov 13 
17:01:14 2006] [debug]
..\..\modules\core\engine\soap_action_disp.c(106) Checking for operation using SOAPAction : [Mon Nov 13 17:01:14 2006] [debug] ..\..\modules\core\engine\phase.c(356) Invoke the handler soap_message_body_based_dispatcher within the phase Dispatch [Mon Nov 
13 17:01:14 2006] [debug]
..\..\modules\core\engine\soap_body_disp.c(196) Checking for operation using SOAP message body's first child's local name : 
CreatePrimaryItem [Mon Nov 13 17:01:14 2006] [debug]
..\..\modules\core\engine\soap_body_disp.c(205) Operation found using
SOAP message body's first child's local name [Mon Nov 13 17:01:14 2006] [debug] 
..\..\modules\core\engine\engine.c(762) Invoking phase PostDispatch



[Mon Nov 13 17:01:14 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler dispatch_post_conditions_evaluator within the phase PostDispatch [Mon 
Nov 13 17:01:14 2006] [debug]
..\..\modules\core\engine\phase.c(356) Invoke the handler context_handler within the phase PostDispatch [Mon Nov 13 17:01:14 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase PolicyDetermination [Mon Nov 13 17:01:14 2006] [debug] ..\..\modules\core\engine\engine.c(762) Invoking phase MessageOut [Mon Nov 13 17:01:14 2006] [info] Request served successfully
I did have mustUnderstand set in the request like this: "<wsse:Security soap:mustUnderstand="1"> 
Rampart_in_handler should set this relaying attribute to false after



processing. Thanks for pointing this out.
BTW, are you using a rampart in the client side as well? Or is it another implementation? :) 'Coz rampart doesn't set 
mustUnderstand=1.

How can I get around this?

Get the latest code from the svn.
Cheers,

Thanks,

-Dave.

*******************************************************************
*
*
* This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of 


the original message.


-------------------------------------------------------------------
-
- To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--------------------------------------------------------------------
- To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to