payload mapping and token security?

**farrellr** · Sep 19th, 2006, 01:14 PM

Here's perhaps a silly question.

I have a webservice that was based on the PayloadRootQNameEndpointMapping. It worked.

I then wanted to add a requirement for a security token to it, so I added all the config stuff.

Doing so seems to work because I can see this logged:

2006-09-19 14:08:03,169 WARN [org.springframework.ws.soap.security.xwss.XwsSecur ityInterceptor] - Could not validate request: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]: No Security Header found; nested exception is ...

when I call the web service from web service explorer (no security token)

but then when I call it from a .net client I have that adds the security token, it validates against the security information:

2006-09-19 14:08:03,185 DEBUG [org.springframework.ws.soap.SoapMessageDispatcher] - MessageDispatcher with name 'messageDispatcher' sends response [org.springframework.ws.soap.saaj.SaajSoapMessage@1 080876]
2006-09-19 14:08:29,336 DEBUG [org.springframework.ws.soap.SoapMessageDispatcher] - MessageDispatcher with name 'messageDispatcher' received request [org.springframework.ws.soap.saaj.SaajSoapMessage@1 762fc7]
2006-09-19 14:08:29,367 DEBUG [org.springframework.ws.endpoint.mapping.PayloadRoo tQNameEndpointMapping] - Looking up endpoint for [{http://www.w3.org/2001/04/xmlenc#}EncryptedData]

Is it not possible to use a payload mapping with a security token?

**Arjen Poutsma** · Sep 21st, 2006, 03:36 AM

Originally Posted by farrellr

Is it not possible to use a payload mapping with a security token?

No, you cannot use the payload mapping with a encrypted message. This is basically due to the fact that interception is done after the mapping. So, when the mapping occurs, the payload is still encrypted. This means the encrypted qname of the payload does not map to any values defined in your configuration.

Instead, you can use the SOAP Action mapping.

**farrellr** · Sep 21st, 2006, 09:04 AM

That makes sense - I had already switched to soap action but it's good to know for sure.
Thanks.

**farrellr** · Sep 21st, 2006, 03:03 PM

I have an issue I don't understand trying to use security with SoapActionEndpointMapping. My endpoint works without security.
When I add SimplePasswordValidationCallbackHandler it seems to prohibit the endpoint if I don't call it with the correct username and password. When I do call it with the correct username and password however, I get
... Could not validate request: java.lang.NullPointerException;
...

my endpoint works and returns the result when my bean looks like this (security commented out):

Code:

  <bean id="secureMapping" class="org.springframework.ws.soap.endpoint.mapping.SoapActionEndpointMapping">
   	<property name="mappings">
   	<props>
 	<prop key="http://www.uptodate.com/topicRetrieve">
		topicRetrieveEndpoint
	</prop>
	</props>
   	</property>
 <!--  	<property name="interceptors">
   	<list>
   	<bean class="org.springframework.ws.soap.endpoint.interceptor.SoapEnvelopeLoggingInterceptor"/>
   	<ref local="wsSecurityInterceptor"/>
   	</list>
   	</property>
   		-->
   	</bean>

However when I uncomment the interceptors property info my logging works, and it seems the security interceptor kicks in.

That bean looks like this:

Code:

   <bean id="wsSecurityInterceptor"
        class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
        <property name="policyConfiguration" value="classpath:securityPolicy.xml"/>
        <property name="secureResponse" value="false" />
        <property name="callbackHandlers">
        <list>
            <ref bean="passwordValidationHandler" />
        </list>
        </property>
    </bean>

with the passwordValidationHandler (for simple testing) defined as

Code:

		
	<bean id="passwordValidationHandler" 
    	class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler">
    	<property name="users">
        <props>
            <prop key="Bert">Ernie</prop>
        </props>
    	</property>
	</bean>

If I call my web service with the username Bert and an incorrect password, I get
"SEVERE: WSS1408: UsernameToken Authentication Failed"
which seems correct.
If I then change my username and password to be correct, I get the following error:

...<SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring xml:lang="en">java.lang.NullPointerException; nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

Can anyone help me understand what I should look at to fix this?
Thanks ... Rich

**Arjen Poutsma** · Sep 22nd, 2006, 05:44 AM

Can you look in your log and post the complete stack trace (if any)?

**farrellr** · Sep 22nd, 2006, 12:14 PM

attched is the log.
When I'm using the validatingInterceptor I can set validateRequest to false.
It looks like when I use wsSecurityInterceptor it tries to validate always (I'm not sure against what).

The second attachment here (more) is the output from a java client trying to call this web service as well (client based on frequent flyer client modified).

Thread: payload mapping and token security?

Thread Tools

Display

Hybrid View

payload mapping and token security?

Thanks Arjen

still can't get security working correctly...

mylog

Posting Permissions