Hi Sergey, As you had mentioned earlier, the namespace is http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Please find the SOAP request message below. Actually, my requirement is to obtain the username and password from the SOAP header to perform container authentication and then associate the Subject with the current thread of execution. Am I using the correct approach or do I just need to write a SOAPHeaderInterceptor and get the required headers. <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> <soap:Header> <wsse:Security soap:mustUnderstand="1" xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd "> <wsse:UsernameToken xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd " xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " wsu:Id="UsernameToken-1"> <wsse:Username>libuser</wsse:Username> <wsse:Password Type=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest ">K8k05oxjNDqbmQZjg33bwa9/oX0=</wsse:Password> <wsse:Nonce EncodingType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary ">L1Y86osooUEy96lwoEzpGQ==</wsse:Nonce> <wsu:Created>2011-02-03T12:32:27.752Z</ wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <ns2:doEcho xmlns:ns2="http://types.echo.wssecurity.learn/ "> <arg0> <echoString>Hello WS-Security</echoString> </arg0> </ns2:doEcho> </soap:Body> </soap:Envelope> Thanks and regards, Anand R From: Sergey Beryozkin <[email protected]> To: [email protected] Date: 03-02-11 05:13 PM Subject: Re: Problem with AbstractUsernameTokenInInterceptor Hi WSS4JInInterceptor is already registering a custom UT processor if the "ws-security.ut.no-callbacks" is set to true. So the hashed UTs should be supported with your configuration, without the need to register a callback. Can you give me a favor and check the actual WS-Security namespace that is used to qualify the security header ? You can add a CXF logging feature to the list of jaxws:features thanks, Sergey On Thu, Feb 3, 2011 at 11:33 AM, Anand R <[email protected]> wrote: > Thanks Sergy. I will try the custom UsernameTokenProcessor. > Thanks and regards, > Anand R > > > > From: Sergey Beryozkin <[email protected]> > To: [email protected] > Date: 03-02-11 04:39 PM > Subject: Re: Problem with AbstractUsernameTokenInInterceptor > > > > Hi > > What WS-Security namespace is being used in the request ? > If the "ws-security.ut.no-callbacks" is set to true then the > org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor should not be > invoked because it does currently require a callback for hashed UTs. So if > the property is set then the WSS4JInInterceptor registers a custom > UsernameTokenProcessor for > > " > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > > " > and > "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";. > > Thanks, Sergey > > On Thu, Feb 3, 2011 at 10:51 AM, Anand R <[email protected]> wrote: > > > Hi Sergey, > > > > Thanks for your response. I used to get the following exception when I > did > > not configure a callback handler. This exception does not come if the > > password is plain text instead of a digest. > > > > org.apache.cxf.interceptor.Fault: General security error > > (WSSecurityEngine: No password callback supplied) > > at > > > > > > org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.processUsernameToken(UsernameTokenInterceptor.java:154) > > at > > > > > > org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:114) > > at > > > > > > org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:72) > > at > > > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > > at > > > > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > > at > > > > > > org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97) > > at > > > > > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461) > > at > > > > > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188) > > at > > > > > > org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148) > > at > > > > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179) > > at > > > > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > > at > > > > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159) > > at > > > > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > > at > > > > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > > > > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:228) > > at > > > > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > > at > > > > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > > at > > > > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) > > at > > > > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:212) > > at > > > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) > > at > > > > > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:634) > > at > > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) > > at java.lang.Thread.run(Thread.java:595) > > Caused by: org.apache.ws.security.WSSecurityException: General security > > error (WSSecurityEngine: No password callback supplied) > > at > > > > > > org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:91) > > at > > > > > > org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.getPrincipal(UsernameTokenInterceptor.java:167) > > at > > > > > > org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.processUsernameToken(UsernameTokenInterceptor.java:129) > > ... 24 more > > > > > > Thanks and regards, > > Anand R > > System Architect > > IBS Software Services Private Limited > > 2nd Floor - Left Wing, IBS Towers, Technopark Campus, Trivandrum - > 695581, > > Kerala, India > > Telephone - +91-471-6614291, Mobile - +91-9846324022 > > E-Mail - [email protected], www.ibsplc.com > > > > > > > > > > From: Sergey Beryozkin <[email protected]> > > To: [email protected] > > Date: 03-02-11 04:08 PM > > Subject: Re: Problem with AbstractUsernameTokenInInterceptor > > > > > > > > Hi > > > > On Thu, Feb 3, 2011 at 6:37 AM, Anand R <[email protected]> wrote: > > > > > Hi, > > > > > > My requirement is to perform a custom authentication on the username > and > > > password that I receive as part of the UsernameToken header in the > > > incoming SOAP request. I discovered that cxf-2.3.2 provides an > > > AbstractUsernameTokenInInterceptor to perform this. I extended this > > class > > > and created my interceptor that overrides the createSubject method. > When > > I > > > configure my interceptor in my beans.xml as shown below, I am getting > an > > > exception. > > > > > > This exception comes up when I use a password digest. The plain text > > > password works fine. Is there any problem in the way I have configured > > my > > > interceptor? > > > > > > > > > Entry in beans.xml > > > > > > <jaxws:endpoint id="echo" > > > implementor="learn.wssecurity.echo.EchoServiceImpl" > > > wsdlLocation="wsdl/echo/EchoService.wsdl" > > > address="/EchoService"> > > > <jaxws:inInterceptors> > > > <bean > > > class="learn.wssecurity.echo.WSSUsernameTokenInterceptor"/> > > > </jaxws:inInterceptors> > > > <jaxws:properties> > > > <entry key="ws-security.callback-handler" > > > value="learn.wssecurity.echo.ServerPasswordCallback" /> > > > <entry key="ws-security.ut.no-callbacks" > > > value="true" /> > > > </jaxws:properties> > > > </jaxws:endpoint> > > > > > > > > > > What is the purpose of registering ServerPasswordCallback ? If you set a > > "ws-security.ut.no-callbacks" property then you only need a callback if > > you > > have an encrypted UT, so that the UT can be decrypted. > > So this callback that you're registering may be interfering in the case > > when > > you have a hashed UT token, can you remove it please and see what > happens > > ? > > > > Cheers, Sergey > > > > > > > > > > > > > > Exception > > > > > > java.lang.SecurityException: Security Token is not available on the > > > current message > > > at > > > > > > > > > > > > org.apache.cxf.interceptor.security.AbstractSecurityContextInInterceptor.reportSecurityException(AbstractSecurityContextInInterceptor.java: > > > 88) > > > at > > > > > > > > > > > > org.apache.cxf.interceptor.security.AbstractSecurityContextInInterceptor.handleMessage(AbstractSecurityContextInInterceptor.java:47) > > > at > > > > > > > > > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > > > at > > > > > > > > > > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > > > at > > > > > > > > > > > > org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97) > > > at > > > > > > > > > > > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461) > > > at > > > > > > > > > > > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188) > > > at > > > > > > > > > > > > org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148) > > > at > > > > > > > > > > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179) > > > at > > > > > > > > > > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103) > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > > > at > > > > > > > > > > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159) > > > at > > > > > > > > > > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > > > at > > > > > > > > > > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > > at > > > > > > > > > > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:228) > > > at > > > > > > > > > > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > > > at > > > > > > > > > > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > > > at > > > > > > > > > > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) > > > at > > > > > > > > > > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > > at > > > > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:212) > > > at > > > > > > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) > > > at > > > > > > > > > > > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:634) > > > at > > > > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) > > > at java.lang.Thread.run(Thread.java:595) > > > > > > Thanks and regards, > > > Anand R > > > > > > > > > > > > > > > > > > > > > > > > DISCLAIMER: > > > > > > "The information in this e-mail and any attachment is intended only > for > > > the person to whom it is addressed and may contain confidential and/or > > > privileged material. If you have received this e-mail in error, kindly > > > contact the sender and destroy all copies of the original > communication. > > > IBS makes no warranty, express or implied, nor guarantees the > accuracy, > > > adequacy or completeness of the information contained in this email or > > any > > > attachment and is not liable for any errors, defects, omissions, > viruses > > > or for resultant loss or damage, if any, direct or indirect." > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > DISCLAIMER: > > > > "The information in this e-mail and any attachment is intended only for > > the person to whom it is addressed and may contain confidential and/or > > privileged material. If you have received this e-mail in error, kindly > > contact the sender and destroy all copies of the original communication. > > IBS makes no warranty, express or implied, nor guarantees the accuracy, > > adequacy or completeness of the information contained in this email or > any > > attachment and is not liable for any errors, defects, omissions, viruses > > or for resultant loss or damage, if any, direct or indirect." > > > > > > > > > > > > > > > > > > DISCLAIMER: > > "The information in this e-mail and any attachment is intended only for > the person to whom it is addressed and may contain confidential and/or > privileged material. If you have received this e-mail in error, kindly > contact the sender and destroy all copies of the original communication. > IBS makes no warranty, express or implied, nor guarantees the accuracy, > adequacy or completeness of the information contained in this email or any > attachment and is not liable for any errors, defects, omissions, viruses > or for resultant loss or damage, if any, direct or indirect." > > > > > DISCLAIMER: "The information in this e-mail and any attachment is intended only for the person to whom it is addressed and may contain confidential and/or privileged material. If you have received this e-mail in error, kindly contact the sender and destroy all copies of the original communication. IBS makes no warranty, express or implied, nor guarantees the accuracy, adequacy or completeness of the information contained in this email or any attachment and is not liable for any errors, defects, omissions, viruses or for resultant loss or damage, if any, direct or indirect."
