RE: wse (.net) client to wss4j web service allows all passwords, why?


Hi,

Iâ??m trying to do the simplest security implementation before trying anything
more complex. I have a web service written in java and Iâ??m trying to
implement security with wss4j. I have a .NET client and Iâ??m trying to use
WSE 3.0 to securely connect to my java web service. So Iâ??m testing with a
hard-coded userid and password (for now), using Username tokens and sending
plain text (and not even over SSL). Testing with a java client, everything
works fine! Testing with the .NET client, wss4j accepts any password and any
userid (as long as my callback method does not throw an exception). (So I
added a â??throw exceptionâ?? if the userid was not found and that works to fail
the userid.) But I canâ??t really get wss4j to validate the password when the
request is coming from .net/wse. Any ideas? Code details below.

For wss4j, my server-config.wsdd file contains this: (NOTE: it throws an
exception without the Timestamp)

<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass" value="PWCallback"/>
<parameter name="action" value="UsernameToken Timestamp"/>
<!-- NOTE: add Timestamp to be compatible with WSE on the .net side -->
</handler>

My callback class is very basic:

public class PWCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {

for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];

if ("wss4j".equals(pc.getIdentifer())) {
pc.setPassword("security");
} else {
// doing this actually shows up as "Callback supplied
// no password for: wss4j"
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback"); }
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}
}

In .NET, Iâ??ve added the reference to Microsoft.Web.Services3 and went
through the WSE Settings 3.0 wizard: checked Enable this project for Web
Services Enhancements, checked Enable Policy and added the
usernameTokenSecurity policy, and left everything else as defaults. Thus, my
wse3policyCache.config looks like this:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" />
</extensions>
<policy name="usernameTokenSecurity">
<usernameOverTransportSecurity />
<requireActionHeader />
</policy>
</policies>

Then refreshing my Web Reference gives me the WSE version of my web service
proxy. And the calling code looks like this:

using Microsoft.Web.Services3.Security;
using Microsoft.Web.Services3.Security.Tokens;

UsernameToken token = new UsernameToken(â??wss4jâ??, "security",
PasswordOption.SendPlainText);
wsProxy = new myJavaWebServiceWse();
wsProxy.SetClientCredential(token);
wsProxy.SetPolicy("usernameTokenSecurity");
String strXML = wsProxy.getTest();

Again with the .net/wse client, wss4j seems to allow any password and an
extra â??throw exceptionâ?? is needed to truly validate the userid. This is not
the case with my java client; it works fine. And I have not been able to
google anything on this.

Thanks

Have you tried the same using a .Net Service secured with WSE 3
and a java client referenced to axis (1.2, 1.3, 1.4)?
I have no problem using axiom but when I try the same with other axis releases I get the error :
"AxisFault
faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
faultSubcode:
faultString: Microsoft.Web.Services3.Security.SecurityFault: Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.
...
"

BizTalk Utilities - Frustration free BizTalk Adapters
http://www.topxml.com/biztalkutilities
.

Relevant Pages

  • Re: HOW TO: write Java client to call WSE 2.0 web server over TCP
    ... There isn't a soap over TCP standard yet so therefore you'll run into compat ... WSE TCP messaging uses DIME framing so whatever toolkit you use ... non IIS hosted web service. ... > call this webservice over TCP using a java client. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • wse (.net) client to wss4j web service allows all passwords, why?
    ... WSE 3.0 to securely connect to my java web service. ... userid (as long as my callback method does not throw an exception). ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Websphere to .net communication via web services
    ... The equivalent of WSE 3.0 in the java world is WSS4j. ... WSE3.0 based client to communicate with a Websphere web service. ... which supports the latest web service securities. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: WSE JAVA INTEROP
    ... > I have .net web service developed using WSE, ... > java needs to use the web service, as I am sending the encrypted ... > token using WSE, how would the java client be able to call the web ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • WSE JAVA INTEROP
    ... I have .net web service developed using WSE, one of the project in java ... needs to use the web service, as I am sending the encrypted token using WSE, ... how would the java client be able to call the web service. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)