PDA

View Full Version : getting a npe


farrellr
Sep 25th, 2006, 03:53 PM
I am having a problem getting an npe as referenced in another thread (which was getting really long). Having done some more research it looks like it happens in DefaulttimestampValidator.java, at line 41

Date expired = parseDate(utcRequest.getExpired());

while trying to verifyInboundMessage.


This happens when my security policy inbound is:


<xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Timestamp timeout="120"/>
<xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="true"/>
</xwss:SecurityConfiguration>


and outbound is


<xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Timestamp timeout="120"/>
<xwss:UsernameToken digestPassword="false" useNonce="true"/>
</xwss:SecurityConfiguration>


If I change useNonce to false, it works.

I can see in the console that the timestamp for nonce only has created, not expired



<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1159216970175594217203">
<wsse:Username>Bert</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">****</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lNS7NMI3OJWQ8WtjNiB0AuFS</wsse:Nonce>
<wsu:Created>2006-09-25T20:42:50Z</wsu:Created>
</wsse:UsernameToken>


Any idea why?
Arjen Poutsma
Sep 26th, 2006, 02:52 AM
Looks like a bug i can solve. Can you file one in JIRA (http://opensource.atlassian.com/projects/spring/browse/SWS)?
farrellr
Sep 26th, 2006, 05:43 AM
I opened it in Jira
Thanks Arjen.
farrellr
Sep 28th, 2006, 10:02 AM
Hi Arjen,
Since the expired attribute for the token is optional, is there any chance
you can do in a near term nightly build to not throw an exception if it is not there. I realize that there might be more to do (to put the expired information if it should be there) but it would help me make progress in testing security other than plain text and password, and seems like it should work that way anyway.
Thanks for your help.
Arjen Poutsma
Sep 28th, 2006, 10:14 AM
Sure, can you add this request to the issue as a comment? I will look at it tomorrow/this weekend. (Private life? Who needs it ;) )
Arjen Poutsma
Oct 1st, 2006, 03:17 PM
The issue has been fixed.
farrellr
Oct 1st, 2006, 07:40 PM
Thanks Arjen - I appreciate it.
I'll grab the next nightly build.
... Rich
farrellr
Oct 2nd, 2006, 10:22 AM
Thanks again Arjen.
I've tested security with nonce, with and without digestPassword - and all seems good. I appreciate the quick turn around.
... Rich