slash in username

[res1st]

Hi,

i added a domain information to the username.
Before, the username contained only the name "Robert", but it contains also the domain "LOCAL\Robert".

The XwsSecurityInterceptor is configured with a usernametoken policy and is called fine for every request.

Code:

3379204 [http-8080-Processor24] INFO  security.JdbcAuthenticationProvider  - User 'LOCAL\Robert Glaser' successfully authenticated.
3379204 [http-8080-Processor24] DEBUG support.XmlWebApplicationContext  - Publishing event in context [Root WebApplicationContext]: org.acegisecurity.event.authentication.AuthenticationSuccessEvent[source=org.acegisecurity.providers.UsernamePasswordAuthenticationToken@e4ad2669: Username: EIMUser 'LOCAL\Robert Glaser' GGUID: F2F1FFD819E04F1B932F9C5328F4575C; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER]
3379204 [http-8080-Processor24] WARN  authentication.LoggerListener  - Authentication event AuthenticationSuccessEvent: LOCAL\Robert Glaser; details: null
3379204 [http-8080-Processor24] DEBUG security.EIMPasswordValidationCallbackHandler  - Authentication success: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@e4ad2669: Username: EIMUser 'LOCAL\Robert Glaser' GGUID: F2F1FFD819E04F1B932F9C5328F4575C; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER
3387705 [http-8080-Processor24] WARN  xwss.XwsSecurityInterceptor  - Could not validate request: java.lang.IllegalArgumentException: improperly specified input name: CN=LOCAL\Robert Glaser; nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.IllegalArgumentException: improperly specified input name: CN=LOCAL\Robert Glaser

You can see, my authenticaton privider does an successful authentication, but after that the XwsSecurityInterceptor fails.
It fails at this line

Code:

SOAPMessage result = processor.verifyInboundMessage(context);

Any idea how i can avoid the XWSSecurityException execption?

Cheers,

Ingo

[Arjen Poutsma]

I have no idea, but perhaps you can ask on the XWSS forum/mailing list? It seems like an internal exception in XWSS.

[res1st]

I used my debugger and got this info (for "LOCAL\Robert" as username):

com.sun.xml.wss.XWSSecurityException:
java.lang.IllegalArgumentException: improperly specified input name: CN=LOCAL\Robert Glaser
java.io.IOException: Invalid escaped character in AVA: 'R'

I also posted it to the XWSS mailing list, i'm waiting for an answer.

Ingo

[Arjen Poutsma]

Ah, in that case you might want to esape the back slash, i.e. make sure that it becomes LOCAL\\Robert

[res1st]

I don't know, i think it's not that easy.
My authentication works fine and seperates domain and name.

I don't know what they are doing at

Code:

 XWSSProcessor2_0Impl.verifyInboundMessage(ProcessingContext) line:117   
    XwsSecurityInterceptor.validateMessage(SoapMessage) line:153

but as someone of the mailing list said:
It's the same as:

Code:

String x500Name = "CN=" + "LOCAL\\Robert";
Principal principal = new X500Principal(x500Name);

I don't know that i suggest as solution?
Please fix XWSS3 so that it'll acceppt backslashes in usernames?
Please fix X500Principal?
Should i switch to another char to seperate domain and name(i.e."LOCAL|Robert")?

What do you think, Arjen?

Ingo

[Arjen Poutsma]

Yeah, it's really easy to reproduce with the sample program that you gave. That tells me that having a CN of "LOCAL\Robert" is probably not the way to go. And that's about as far as my knowledge goes, I'm afraid

Perhaps somebody in the Acegi forum can help you? Though the problem is not related to Acegi, it is security related...

[res1st]

Thank you Arjen.

I think the value of a username token shouldn't be restricted to some chars - the backslash or # should also be possible.

I'll discuss this with the XWSS guys. If i know more, i'll post it here.

Cheers,

Ingo