javaeetutorial
  1. javaeetutorial
  2. JAVAEETUTORIAL-24

Need simple username/token (password) Web Service Policy to authenticate a user against the JDBCRealm

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.7-5
    • Fix Version/s: None
    • Component/s: examples
    • Labels:
      None

      Description

      For Duke's Forest case study, how can we employ a simple username/token (password) Web Service Policy that will authenticate the user against the JDBCRealm that is being used for the web application? The JDBCRealm is already set up in the GlassFish server.

      GlassFish Configuration for Message Security:

      • Under Security -> Message Security -> SOAP
      • Select Default Provider "ServerProvider"
      • Default client Provider "ClientProvider"
      • Save.

      Server Code:
      Straight-forward JAX-WS service. Nothing special at code level.

      Server Configuration:

      • Right-click on Web Service
      • Edit Web Service Attributes
      • Mark "Secure Web Service" checkbox and select "Username Authentication with Password Derived Key" as security mechanism (I've tried with few other options too)
      • Ok/Apply actions and deploy the Web Service.
      • Use development defaults checked.

      Client Configuration:

      • Right-click on Web Service References
      • Edit Web Service Attributes
      • Mark "Use development defaults" checkbox

      Client code:
      ......

      Payment port = service.getPaymentPort();

      // password info
      ((BindingProvider) port).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "john@example.com");
      ((BindingProvider) port).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "1234");

      return port.processPayment(order);

      • Use development defaults checked.

      Exceptions thrown:

      WARNING: StandardWrapperValve[Faces Servlet]: PWC1406: Servlet.service() for servlet Faces Servlet threw exception
      javax.faces.el.EvaluationException: javax.xml.ws.WebServiceException: Cannot secure request for

      {com.forest.payment.services}PaymentPort
      at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:102)
      at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
      at javax.faces.component.UICommand.broadcast(UICommand.java:315)
      at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:794)
      at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1259)
      at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81)
      at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
      at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:409)
      at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1534)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
      at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98)
      at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:326)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:228)
      at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:822)
      at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:719)
      at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1013)
      at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
      at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
      at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
      at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
      at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
      at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
      at java.lang.Thread.run(Thread.java:722)
      Caused by: javax.xml.ws.WebServiceException: Cannot secure request for {com.forest.payment.services}

      PaymentPort
      at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:169)
      at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
      at com.sun.xml.ws.client.Stub.process(Stub.java:323)
      at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:161)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:113)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
      at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:144)
      at $Proxy383.processPayment(Unknown Source)
      at com.forest.handlers.PaymentHandler.processPayment(PaymentHandler.java:61)
      at com.forest.handlers.PaymentHandler.onNewOrder(PaymentHandler.java:39)
      at com.forest.handlers.org$jboss$weld$bean-web-ManagedBean-class_com$forest$handlers$PaymentHandler_$$WeldClientProxy.onNewOrder(org$jboss$weld$bean-web-ManagedBean-class_com$forest$handlers$PaymentHandler$$_WeldClientProxy.java)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:613)
      at org.jboss.weld.util.reflection.SecureReflections$13.work(SecureReflections.java:305)
      at org.jboss.weld.util.reflection.SecureReflectionAccess.run(SecureReflectionAccess.java:54)
      at org.jboss.weld.util.reflection.SecureReflectionAccess.runAsInvocation(SecureReflectionAccess.java:163)
      at org.jboss.weld.util.reflection.SecureReflections.invoke(SecureReflections.java:299)
      at org.jboss.weld.introspector.jlr.WeldMethodImpl.invokeOnInstance(WeldMethodImpl.java:188)
      at org.jboss.weld.introspector.ForwardingWeldMethod.invokeOnInstance(ForwardingWeldMethod.java:59)
      at org.jboss.weld.injection.MethodInjectionPoint.invokeOnInstanceWithSpecialValue(MethodInjectionPoint.java:198)
      at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:270)
      at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:253)
      at org.jboss.weld.event.ObserverMethodImpl.notify(ObserverMethodImpl.java:222)
      at org.jboss.weld.manager.BeanManagerImpl.notifyObservers(BeanManagerImpl.java:632)
      at org.jboss.weld.manager.BeanManagerImpl.fireEvent(BeanManagerImpl.java:625)
      at org.jboss.weld.event.EventImpl.fire(EventImpl.java:75)
      at com.forest.ejb.ShoppingCart.checkout(ShoppingCart.java:141)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:613)
      at com.sun.el.parser.AstValue.invoke(AstValue.java:234)
      at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:297)
      at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:43)
      at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:56)
      at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105)
      at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
      ... 33 more
      Caused by: com.sun.enterprise.security.jauth.AuthException: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: com.sun.org.apache.xml.internal.security.c14n.CanonicalizationException: Element ns2:processPayment has a relative namespace: ns2="com.forest.payment.services"
      at com.sun.xml.wss.provider.ClientSecurityAuthModule.secureRequest(ClientSecurityAuthModule.java:128)
      at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFClientAuthContext.secureRequest(GFServerConfigProvider.java:1261)
      at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:162)
      ... 75 more

        Activity

        Hide
        William Markito added a comment -

        The solution was to create a simple JAX-WS service and block the access using traditional Java security constraints on web.xml. On the client side needed to assign to the BindingProvider the username/password for authentication.

        For example:

        1. Snippet from web.xml:
          ...
          <security-constraint>
          <web-resource-collection>
          <web-resource-name>Secure payment service</web-resource-name>
          <description/>
          <url-pattern>/*</url-pattern>
          <http-method>POST</http-method>
          <http-method>HEAD</http-method>
          <http-method>PUT</http-method>
          <http-method>OPTIONS</http-method>
          <http-method>TRACE</http-method>
          <http-method>DELETE</http-method>
          <!-<http-method>GET</http-method>->
          </web-resource-collection>
          <auth-constraint>
          <role-name>USERS</role-name>
          </auth-constraint>
          </security-constraint>
          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>jdbcRealm</realm-name>
          </login-config>
          <security-role>
          <role-name>USERS</role-name>
          </security-role>
          ...
        1. Snippet for web service client:
          ...
          Payment port = service.getPaymentPort();

        ((BindingProvider) port).getRequestContext().put(
        BindingProvider.USERNAME_PROPERTY, USER);
        ((BindingProvider) port).getRequestContext().put(
        BindingProvider.PASSWORD_PROPERTY, TOKEN);
        return port.processPayment(order);
        ...

        Show
        William Markito added a comment - The solution was to create a simple JAX-WS service and block the access using traditional Java security constraints on web.xml. On the client side needed to assign to the BindingProvider the username/password for authentication. For example: Snippet from web.xml: ... <security-constraint> <web-resource-collection> <web-resource-name>Secure payment service</web-resource-name> <description/> <url-pattern>/*</url-pattern> <http-method>POST</http-method> <http-method>HEAD</http-method> <http-method>PUT</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>DELETE</http-method> <!- <http-method>GET</http-method> -> </web-resource-collection> <auth-constraint> <role-name>USERS</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>jdbcRealm</realm-name> </login-config> <security-role> <role-name>USERS</role-name> </security-role> ... Snippet for web service client: ... Payment port = service.getPaymentPort(); ((BindingProvider) port).getRequestContext().put( BindingProvider.USERNAME_PROPERTY, USER); ((BindingProvider) port).getRequestContext().put( BindingProvider.PASSWORD_PROPERTY, TOKEN); return port.processPayment(order); ...

          People

          • Assignee:
            William Markito
            Reporter:
            jendrock
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: