Alessio Soldano [http://community.jboss.org/people/asoldano] created the discussion
"Re: Where is jboss-ws-security_1_0.xsd" To view the discussion, visit: http://community.jboss.org/message/639916#639916 -------------------------------------------------------------- Hi Steve, > I have three basic test cases: > 1) request has WS-Security header with a valid username/password > 2) request has WS-Security header with an invalid username/password > 3) request has no WS-Security header. > > I expect the follwing results in these cases: > 1) request is processed, non-error response > 2) request is disallowed ("Invalid User".) > 3) request is disallowed ("This service requires <wsse:Security>, which is > missing"). > > However. the above test suite only passes with a file jboss-wsse-server.xml > like that in the sample (note that I have commented out the schema stuff so > it won't fail vaidation in Eclipse). > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <jboss-ws-security> > > <!-- xmlns=" http://www.jboss.com/ws-security/config > > http://www.jboss.com/ws-security/config"; xmlns:xsi=" > > http://www.w3.org/2001/XMLSchema-instance > > http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation=" http://www.jboss.com/ws-security/config > > http://www.jboss.com/ws-security/config > > http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd > > http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"--> > > <config> > > <requires> > > <username/> > > </requires> > > </config> > > > > </jboss-ws-security> > > With this config (as implied by your comment): > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <jboss-ws-security> > > <!-- xmlns=" http://www.jboss.com/ws-security/config > > http://www.jboss.com/ws-security/config"; xmlns:xsi=" > > http://www.w3.org/2001/XMLSchema-instance > > http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation=" http://www.jboss.com/ws-security/config > > http://www.jboss.com/ws-security/config > > http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd > > http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"--> > > <config> > > <!-- <requires> --> > > <!-- <username/> --> > > <!-- </requires> --> > > </config> > > </jboss-ws-security> > then the first two test cases pass but the third one does not, that is, > requests without the W2Security header are allowed. Thus it seems that the > <username> element IS required on the server side to perform security checks > correctly. This is likely a consequence on the check that's in the WSSecurityDispatcher::decodeMessage() method on the existence of requirements in the current ws-security configuration. Can you try adding an empty <requires/> element to the server configuration? That should probably be a valid solution here. This said, the problem here is not in being sure you get the message regarding no wsse setup in case 3 above, while instead being sure the invocation does not succeed due to missing authentication/authorization reasons. How is your endpoint? EJB3 or POJO? There are some additional authentication/authorization options (jaas integration) explained at http://community.jboss.org/docs/DOC-13538 http://community.jboss.org/wiki/JBossWS-WS-SecurityOptions -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/639916#639916] Start a new discussion in JBoss Web Services at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]
_______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
