WSS in UltraESB

  • Question
  • Updated 4 years ago
This is regarding the WSSecurity.
Our target is to insert an encrypted UserNameToken into request header and get this validated by the WSSecurityManagerBean.
After validation the token will be removed and the modified request string has to be forwarded to the service endpoint. This can be achieved using
verifyUsernameTokenAuthentication(Message msg, boolean remove) method.
We do not want to encrypt the section.
Please let us know if this is recommended.

We are trying to run sample 204 but without any luck. We are getting Security validation failed message only.
Referring to the following link : http://adroitlogic.org/samples-articl...
Please let us know if we need other configuration than mentioned in the tutorial. We are using default keystore only.
Photo of fromdebtoyouF

fromdebtoyou

  • 6 Posts
  • 0 Likes

Posted 4 years ago

  • 2
Photo of Asankha Perera

Asankha Perera, Founder and CTO

  • 355 Posts
  • 20 Likes
According to the WSS UsernameToken authentication profile, you can either send the password in clear text, or send the password digest. See http://www.oasis-open.org/committees/... for an example. Lines 274-286 shows a clear text password, while 291-307 shows the use of a digest password.

If your client uses either of these, then the UltraESB supports these by default. You will need to tweak the client to the ESB to send a digested password, and you should refer to the appropriate documentation.

If you encounter any error, please capture a TCPDump (using the SOA ToolBox or Wireshark etc) and attach
Photo of fromdebtoyouF

fromdebtoyou

  • 6 Posts
  • 0 Likes
Asankha, thanks for your reply.
I am trying to authenticate the following request xml. but getting the folloiwng error ,
(Have replaced the < with // otherwise the xml is not getting displayed properly)

2011-03-08 15:45:55,275 [-] [primary-11] ERROR ProcessUTAuthenticatedMessage WS-Security failure - AuthenticationManager not defined
org.adroitlogic.soapbox.SecurityFailureException: WS-Security failure - AuthenticationManager not defined
at org.adroitlogic.soapbox.processor.ProcessUTAuthenticatedMessage.handl
eException(ProcessUTAuthenticatedMessage.java:204)
at org.adroitlogic.soapbox.processor.ProcessUTAuthenticatedMessage.proce
ss(ProcessUTAuthenticatedMessage.java:93)
at org.adroitlogic.soapbox.WSSecurityManager.verifyUsernameTokenAuthenti
cation(WSSecurityManager.java:454)
at echo_proxy_inSequence.execute(echo_proxy_inSequence.java from JavaSou
rce:5)

....

My WSSecurityManagerBean is configured as
/bean id="wssecMgr" class="org.adroitlogic.soapbox.WSSecurityManager">
/constructor-arg value="samples/conf/keys/ws-sec-keystore.jks"/>
/constructor-arg value="password"/>
/constructor-arg>
/map>
/entry key="alice" value="password"/>
/entry key="bob" value="password"/>
//map>
//constructor-arg>
//bean>

Could you please provide any help on that.

Request XML =========================
/soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envel..." xmlns:soap="http://soap.services.samples/">
/Header>
/wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/0..."
soapenv:mustUnderstand="1">
/wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/0..." wsu:Id="SecurityToken-6138db82-5a4c-4bf7-915f-af7a10d9ae96">
/wsse:Username>asankha//wsse:Username>
/wsse:Password Type="http://docs.oasis-open.org/wss/2004/0...>
CBb7a2itQDgxVkqYnFtggUxtuqk=
//wsse:Password>
/wsse:Nonce>5ABcqPZWb6ImI2E6tob8MQ==//wsse:Nonce>
/wsu:Created>2010-06-08T07:26:50Z//wsu:Created> //wsse:UsernameToken>
//wsse:Security>
//Header>
/soapenv:Body>
/soap:getQuote>
/request>
/symbol>ADRT//symbol>
//request>
//soap:getQuote>
//soapenv:Body>
//soapenv:Envelope>
Photo of Asankha Perera

Asankha Perera, Founder and CTO

  • 355 Posts
  • 20 Likes
When using UT authentication, we use the Spring security authentication to validate the username against the password. Spring security allows you to give hard coded usernames, passwords or get them from a database, LDAP or any other custom store.

See sample #110 for an example for defining an authentication provider

e.g.
<s:authentication-provider>
<!--<s:password-encoder hash="md5"/>
<s:user-service>
<s:user name="asankha" password="abac6d7582d9ab52c629f7490fd3eb2f" authorities="ROLE_ADMIN, ROLE_USER"/>
</s:user-service>-->
<s:user-service>
<s:user name="asankha" password="adroitlogic" authorities="ROLE_USER, ROLE_MANAGER"/>
</s:user-service>
</s:authentication-provider>

Note that this is different from the WSSecurity keystores etc. In the above example, we use a hard coded in-memory user credential store. A slight alternative is to store password digests instead. A more scalable way is to bind this against a DB or LDAP etc via Spring security. Note that you will need to define the "s:" namespace as in example #110

PS: you can use http://www.htmlescape.net/htmlescape_... to escape HTML if you have XML in your questions, we have asked GetSatisfaction folks to fix this ..
Photo of fromdebtoyouF

fromdebtoyou

  • 6 Posts
  • 0 Likes
Asankha,

thanks for the reply.Going back to example 204... I am getting an exception

org.adroitlogic.soapbox.SecurityFailureException: WS-Security failure - Message is not UT Authenticated.


I am using the ws-secured-request.xml as suggested.

I am also using the default keystore of UltraESB @ /samples/conf/keys/ws-sec-keystore.jks

Do I need to follow any additional steps to authentictae the request.

Here is the exception log

org.adroitlogic.soapbox.SecurityFailureException: WS-Security failure - Message

is not UT Authenticated

at org.adroitlogic.soapbox.processor.ProcessUTAuthenticatedMessage.proce

ss(ProcessUTAuthenticatedMessage.java:90)

at org.adroitlogic.soapbox.WSSecurityManager.verifyUsernameTokenAuthenti

cation(WSSecurityManager.java:454)

at echo_proxy_inSequence.execute(echo_proxy_inSequence.java from JavaSou

rce:5)

at org.adroitlogic.ultraesb.core.Sequence.execute(Sequence.java:229)

at org.adroitlogic.ultraesb.core.ProxyService.processFlow(ProxyService.j

ava:190)

at org.adroitlogic.ultraesb.core.ProxyService.doRealWork(ProxyService.ja

va:171)

at org.adroitlogic.ultraesb.core.work.SimpleQueueWorkManager.doRealWork(

SimpleQueueWorkManager.java:284)

at org.adroitlogic.ultraesb.core.work.SimpleQueueWorkManager.access$000(

SimpleQueueWorkManager.java:59)

at org.adroitlogic.ultraesb.core.work.SimpleQueueWorkManager$1.run(Simpl

eQueueWorkManager.java:230)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExec

utor.java:886)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor

.java:908)

at java.lang.Thread.run(Thread.java:662)



SecurityManagerConfiguration

...........

............

<bean id="wssecMgr" class="org.adroitlogic.soapbox.WSSecurityManager">

<constructor-arg value="samples/conf/keys/ws-sec-keystore.jks"/>

<constructor-arg value="password"/>

<constructor-arg>

<map>

<entry key="alice" value="password"/>

<entry key="bob" value="password"/>

</map>

</constructor-arg>

</bean>

..............
Photo of Asankha Perera

Asankha Perera, Founder and CTO

  • 355 Posts
  • 20 Likes
If you are trying out the example request "ws-secured-request.xml" - yes, its not using any UsernameToken authentication - and hence the expected error. That sample message could only be used for the encryption/signature/timestamp samples.

The sample message you attached earlier however contains a "wsse:UsernameToken" element.. Can you try with a real request which is properly UT authenticated? You could also change the WSSecTest JUnit test file using WSS4J if you want to generate a sample. Alternatively, you can use another proxy service to make any incoming message have UT authentication (e.g. See "hello-proxy" in Sample 204)
Photo of fromdebtoyouF

fromdebtoyou

  • 6 Posts
  • 0 Likes
We have been able to set up a service with rampart.
The client is now sending encrypted password digest. The authentication is also working at the provider end.
We want to transfer the authentication mechanism to mediator class.
Could you please provide us any help on that.
Photo of Asankha Perera

Asankha Perera, Founder and CTO

  • 355 Posts
  • 20 Likes
Your question is not clear to me.. I think what you are looking for is a custom method to validate the password against the user name?
Photo of tirtha2u

tirtha2u

  • 1 Post
  • 0 Likes
Hi Asankha.
In Continuation to Deb's query. I am briefing you the scenario we are trying in our program.
We are sending a plain password in the header which we want that, UltraESB should be able to validate and forward the soap body to the backend unsecured web service. Attached is the complete soap request.
I want to know the configuration/steps that we need to perform in UltraESB to validate this username/password.

<?xml version='1.0' encoding='UTF-8'?>

<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelo...;

<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing&...;

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/0...; soapenv:mustUnderstand="true">

<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/0...; wsu:Id="UsernameToken-1">

<wsse:Username>bob</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/0...;

</wsse:UsernameToken>

</wsse:Security>

<wsa:To>http://localhost:3333/service/SmileSe...;

<wsa:MessageID>urn:uuid:248B8759FD0A4916FD1299758636008</wsa:MessageID>

<wsa:Action>urn:laugh</wsa:Action>

</soapenv:Header>

<soapenv:Body>

<ns1:laugh xmlns:ns1="http://tirtha.test.com&quot;&gt;

<ns1:name>JOHN</ns1:name>

</ns1:laugh>

</soapenv:Body>

</soapenv:Envelope>
Photo of fromdebtoyouF

fromdebtoyou

  • 6 Posts
  • 0 Likes
The request header contains the username, password digest, nonce and timestamp. What we are looking for is an API support from UltraESB to validate the password. Otherwise, we may go for a custom validator method. Moreover, is there any additional configuration we need to do.
Photo of Asankha Perera

Asankha Perera, Founder and CTO

  • 355 Posts
  • 20 Likes
The current WSS UT authentication with clear text passwords requires a Nonce and Created values to ensure adequate security. We have written the code to be possible to turn this off if required, but our public API does not expose this feature. We have filed an enhancement https://bitbucket.org/adroitlogic/ult... but, we recommend using a Nonce and Created (to ensure that requests are fresh, and not replay attacks) and possibly Digest passwords if request is not over SSL

asankha
Photo of Asankha Perera

Asankha Perera, Founder and CTO

  • 355 Posts
  • 20 Likes
As per the private emails, and the call I am closing this thread as resolved