Re: WS-Security rampart problems

[Dmitry Sherman]

I did (I took sample03, as my base), and the class loads as the  
debugger steps into it.
Once it is in the 'handle' method, no steps inside are processed for  
some reason.
Any suggestions?

On Mar 24, 2007, at 5:10 AM, Ruchith Fernando wrote:

Hi Dmitry,

On 3/24/07, Dmitry Sherman <[EMAIL PROTECTED]> wrote:
Hi everyone, could anyone help me with the following:

1. Problem:
        Failing to do the WS-Security handshake on the client side  
(I think).
        The debugger steps into the callback strangely enough no  
code is
executed in it (?).
        If I follow it into some Axis2 source I can see the  
password set
correctly, but at the .invoke call AxisFault is returned (see below).
        No HTTP traffic is visible and the SOAPMonitor does not catch
anything going back and forth
        (if I make unsecured calls, or call other services  
SOAPMonitor shows
the messages; including faults).

Security processing fails at the client side because it cannot obtain
a password to add to the UsernameToken.
My guess is you probably might be loading a different
com.kryterion.poc.PWCBHandler class at the client side.



2. Environment:
        JDK 1.5.0_6 (OS X)
        Tomcat 5.5.23
        Eclipse 3.2.0
        Axis2 1.1.1 (rampart-1.1)
        Firefox 1.5 & Safari
        OS X (10.4.9)

3. Error Message:
        Mar 23, 2007 9:20:50 AM  
org.apache.axis2.deployment.DeploymentEngine
doDeploy
        INFO: Deploying module : rampart-1.1
        Mar 23, 2007 9:20:52 AM  
org.apache.axis2.deployment.DeploymentEngine
doDeploy
        INFO: Deploying module : rahas-1.1
        Mar 23, 2007 9:20:52 AM  
org.apache.axis2.deployment.DeploymentEngine
doDeploy
        INFO: Deploying module : soapmonitor-1.1.1
        Mar 23, 2007 9:20:52 AM  
org.apache.axis2.deployment.DeploymentEngine
doDeploy
        INFO: Deploying module : addressing-1.1.1
        org.apache.axis2.AxisFault: General security error
(WSSecurityEngine: Callback supplied no password for: arnhem)
                at  
org.apache.axis2.description.OutInAxisOperationClient.send
(OutInAxisOperation.java:271)
                at  
org.apache.axis2.description.OutInAxisOperationClient.execute
(OutInAxisOperation.java:202)
                at com.kryterion.poc..KServicesStub.putBinary 
(KServicesStub.java:364)
                at com.kryterion.poc..Client.main(Client.java:77)

4. Client code:
                ---- START ---
                        KServicesStub ks = new KServicesStub 
("http://localhost:8080/axis2/
services/KServices");

                        ServiceClient client = ks._getServiceClient 
();
                        Options options = client.getOptions();
                        options.setProperty 
(RampartMessageData.KEY_RAMPART_POLICY,
loadPolicy("policy.xml"));
                        client.setOptions(options);

                        client.engageModule(new QName("addressing"));
                        client.engageModule(new QName("rampart"));

                        ks._setServiceClient(client);

                        KServicesStub.PutBinary pb = new  
KServicesStub.PutBinary();

                        FileInputStream fi = new FileInputStream 
("1.jpg");
                        byte[] fia = new byte[fi.available()];
                        fi.read(fia);

                        String send = new String(Base64.encode(fia));

                        pb.setBinaryXML("<data><![CDATA[" + send +  
"]]></data>");
                        KServicesStub.PutBinaryResponse pbr =  
ks.putBinary(pb);
                ---- End ---

5. Client policy.xml:
        ---- START ----
        <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http:// 
docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
        <wsp:ExactlyOne>
          <wsp:All>
                <sp:TransportBinding xmlns:sp="http:// 
schemas.xmlsoap.org/ws/
2005/07/securitypolicy">
                  <wsp:Policy>
                        <sp:TransportToken>
                          <wsp:Policy>
                                <sp:HttpsToken  
RequireClientCertificate="false"/>
                          </wsp:Policy>
                        </sp:TransportToken>
                        <sp:AlgorithmSuite>
                          <wsp:Policy>
                                <sp:Basic256/>
                          </wsp:Policy>
                        </sp:AlgorithmSuite>
                        <sp:Layout>
                          <wsp:Policy>
                                <sp:Lax/>
                          </wsp:Policy>
                        </sp:Layout>
                        <sp:IncludeTimestamp/>
                  </wsp:Policy>
                </sp:TransportBinding>
                <sp:SignedSupportingTokens xmlns:sp="http:// 
schemas.xmlsoap.org/ws/
2005/07/securitypolicy">
                        <wsp:Policy>
                                <sp:UsernameToken  
sp:IncludeToken="http://schemas.xmlsoap.org/ws/
2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
                  </wsp:Policy>
                </sp:SignedSupportingTokens>

                <ramp:RampartConfig xmlns:ramp="http:// 
ws.apache.org/rampart/policy">
                        <ramp:user>arnhem</ramp:user>
                         
<ramp:passwordCallbackClass>com.kryterion.poc.PWCBHandler</
ramp:passwordCallbackClass>
                </ramp:RampartConfig>

          </wsp:All>
        </wsp:ExactlyOne>
        ---- END ----

6. Server service.xml:
        ---- START ----
        <?xml version="1.0" encoding="UTF-8"?>
        <service>

        <operation name="putBinary">
                <messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
        </operation>

        <parameter
name="ServiceClass">com.kryterion.poc.login.KServices</parameter>

        <module ref="rampart" />
        <module ref="addressing" />

        <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http:// 
docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
                <wsp:ExactlyOne>
                  <wsp:All>
                        <sp:TransportBinding xmlns:sp="http:// 
schemas.xmlsoap.org/ws/
2005/07/securitypolicy">
                          <wsp:Policy>
                                <sp:TransportToken>
                                  <wsp:Policy>
                                        <sp:HttpsToken  
RequireClientCertificate="false"/>
                                  </wsp:Policy>
                                </sp:TransportToken>
                                <sp:AlgorithmSuite>
                                  <wsp:Policy>
                                        <sp:Basic256/>
                                  </wsp:Policy>
                                </sp:AlgorithmSuite>
                                <sp:Layout>
                                  <wsp:Policy>
                                        <sp:Lax/>
                                  </wsp:Policy>
                                </sp:Layout>
                                <sp:IncludeTimestamp/>
                          </wsp:Policy>
                        </sp:TransportBinding>
                        <sp:SignedSupportingTokens  
xmlns:sp="http://schemas.xmlsoap.org/ws/
2005/07/securitypolicy">
                                <wsp:Policy>
                                        <sp:UsernameToken  
sp:IncludeToken="http://schemas.xmlsoap.org/ws/
2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
                          </wsp:Policy>
                        </sp:SignedSupportingTokens>

                        <ramp:RampartConfig xmlns:ramp="http:// 
ws.apache.org/rampart/policy">
                                 
<ramp:passwordCallbackClass>com.kryterion.poc.PWCBHandler</
ramp:passwordCallbackClass>
                        </ramp:RampartConfig>

                  </wsp:All>
                </wsp:ExactlyOne>
        </wsp:Policy>

        </service>
        ---- END ----

7. Callback code:
        ---- START ----
/*
  * Copyright 2004,2005 The Apache Software Foundation.
  */

package com.kryterion.poc;

import org.apache.ws.security.WSPasswordCallback;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import java.io.IOException;

public class PWCBHandler implements CallbackHandler {

     public void handle(Callback[] callbacks) throws IOException,
             UnsupportedCallbackException {

         for (int i = 0; i < callbacks.length; i++) {

             //When the server side need to authenticate the user
             WSPasswordCallback pwcb = (WSPasswordCallback) 
callbacks[i];
             if (pwcb.getUsage() ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
                 if(pwcb.getIdentifer().equals("arnhem") &&
pwcb.getPassword().equals("password")) {
                     return;
                 } else {
                     throw new UnsupportedCallbackException(callbacks
[i], "check failed");
                 }
             }

             //When the client requests for the password to be added
in to the
             //UT element
             pwcb.setPassword("password");
         }
     }

}
        ---- END ----

If anyone have a working sample code on how to do the UsernameToken &
Timestamp ws-security w/ Axis2, that would be SOOOOOOO appreciated!

Please see rampart-1.1/samples/policy/sample01 for a sample

Thanks,
Ruchith

--
www.ruchith.org
www.wso2.org