Steve Cohen [http://community.jboss.org/people/stevecoh4] created the discussion
"Re: Where is jboss-ws-security_1_0.xsd" To view the discussion, visit: http://community.jboss.org/message/639902#639902 -------------------------------------------------------------- Thanks for acknowledging the problems I found, Alessio. However, my tests reveal that this is not completely correct: > * the actual issue in your configuration for setting up jbossws-native > ws-security w/ username token auth is in the fact the jboss-wsse-server.xml > descriptor above should not have the <username/> element at all. That element > is a client side configuration element for adding the username token header > into the message, which is something the client does. The server will > automatically check for existence of that header and try performing > authentication. This is the reason why there's no "username" element in the > "requiresType" in the schema, which is correct. I have three basic test cases: 1) request has WS-Security header with a valid username/password 2) request has WS-Security header with an invalid username/password 3) request has no WS-Security header. I expect the follwing results in these cases: 1) request is processed, non-error response 2) request is disallowed ("Invalid User".) 3) request is disallowed ("This service requires <wsse:Security>, which is missing"). However. the above test suite only passes with a file jboss-wsse-server.xml like that in the sample (note that I have commented out the schema stuff so it won't fail vaidation in Eclipse). > <?xml version="1.0" encoding="UTF-8"?> > > <jboss-ws-security> > <!-- xmlns=" http://www.jboss.com/ws-security/config > http://www.jboss.com/ws-security/config"; xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance > http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation=" http://www.jboss.com/ws-security/config > http://www.jboss.com/ws-security/config > http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd > http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"--> > <config> > <requires> > <username/> > </requires> > </config> > > </jboss-ws-security> With this config (as implied by your comment: > <?xml version="1.0" encoding="UTF-8"?> > > <jboss-ws-security> > <!-- xmlns=" http://www.jboss.com/ws-security/config > http://www.jboss.com/ws-security/config"; xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance > http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation=" http://www.jboss.com/ws-security/config > http://www.jboss.com/ws-security/config > http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd > http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"--> > <config> > <!-- <requires> --> > <!-- <username/> --> > <!-- </requires> --> > </config> > </jboss-ws-security> then the first two test cases pass but the third one does not, that is, requests without the W2Security header are allowed. Thus it seems that the <username> element IS required on the server side to perform security checks correctly. -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/639902#639902] Start a new discussion in JBoss Web Services at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]
_______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
