Help get this topic noticed by sharing it on Twitter, Facebook, or email.

WSS in UltraESB

This is regarding the WSSecurity.
Our target is to insert an encrypted UserNameToken into request header and get this validated by the WSSecurityManagerBean.
After validation the token will be removed and the modified request string has to be forwarded to the service endpoint. This can be achieved using
verifyUsernameTokenAuthentication(Message msg, boolean remove) method.
We do not want to encrypt the section.
Please let us know if this is recommended.

We are trying to run sample 204 but without any luck. We are getting Security validation failed message only.
Referring to the following link : http://adroitlogic.org/samples-articl...
Please let us know if we need other configuration than mentioned in the tutorial. We are using default keystore only.
2 people have
this question
+1
Reply
  • According to the WSS UsernameToken authentication profile, you can either send the password in clear text, or send the password digest. See http://www.oasis-open.org/committees/... for an example. Lines 274-286 shows a clear text password, while 291-307 shows the use of a digest password.

    If your client uses either of these, then the UltraESB supports these by default. You will need to tweak the client to the ESB to send a digested password, and you should refer to the appropriate documentation.

    If you encounter any error, please capture a TCPDump (using the SOA ToolBox or Wireshark etc) and attach
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • Asankha, thanks for your reply.
    I am trying to authenticate the following request xml. but getting the folloiwng error ,
    (Have replaced the < with // otherwise the xml is not getting displayed properly)

    2011-03-08 15:45:55,275 [-] [primary-11] ERROR ProcessUTAuthenticatedMessage WS-Security failure - AuthenticationManager not defined
    org.adroitlogic.soapbox.SecurityFailureException: WS-Security failure - AuthenticationManager not defined
    at org.adroitlogic.soapbox.processor.ProcessUTAuthenticatedMessage.handl
    eException(ProcessUTAuthenticatedMessage.java:204)
    at org.adroitlogic.soapbox.processor.ProcessUTAuthenticatedMessage.proce
    ss(ProcessUTAuthenticatedMessage.java:93)
    at org.adroitlogic.soapbox.WSSecurityManager.verifyUsernameTokenAuthenti
    cation(WSSecurityManager.java:454)
    at echo_proxy_inSequence.execute(echo_proxy_inSequence.java from JavaSou
    rce:5)

    ....

    My WSSecurityManagerBean is configured as
    /bean id="wssecMgr" class="org.adroitlogic.soapbox.WSSecurityManager">
    /constructor-arg value="samples/conf/keys/ws-sec-keystore.jks"/>
    /constructor-arg value="password"/>
    /constructor-arg>
    /map>
    /entry key="alice" value="password"/>
    /entry key="bob" value="password"/>
    //map>
    //constructor-arg>
    //bean>

    Could you please provide any help on that.

    Request XML =========================
    /soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envel..." xmlns:soap="http://soap.services.samples/">
    /Header>
    /wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/0..."
    soapenv:mustUnderstand="1">
    /wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/0..." wsu:Id="SecurityToken-6138db82-5a4c-4bf7-915f-af7a10d9ae96">
    /wsse:Username>asankha//wsse:Username>
    /wsse:Password Type="http://docs.oasis-open.org/wss/2004/0...>
    CBb7a2itQDgxVkqYnFtggUxtuqk=
    //wsse:Password>
    /wsse:Nonce>5ABcqPZWb6ImI2E6tob8MQ==//wsse:Nonce>
    /wsu:Created>2010-06-08T07:26:50Z//wsu:Created> //wsse:UsernameToken>
    //wsse:Security>
    //Header>
    /soapenv:Body>
    /soap:getQuote>
    /request>
    /symbol>ADRT//symbol>
    //request>
    //soap:getQuote>
    //soapenv:Body>
    //soapenv:Envelope>
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • When using UT authentication, we use the Spring security authentication to validate the username against the password. Spring security allows you to give hard coded usernames, passwords or get them from a database, LDAP or any other custom store.

    See sample #110 for an example for defining an authentication provider

    e.g.
    <s:authentication-provider>
    <!--<s:password-encoder hash="md5"/>
    <s:user-service>
    <s:user name="asankha" password="abac6d7582d9ab52c629f7490fd3eb2f" authorities="ROLE_ADMIN, ROLE_USER"/>
    </s:user-service>-->
    <s:user-service>
    <s:user name="asankha" password="adroitlogic" authorities="ROLE_USER, ROLE_MANAGER"/>
    </s:user-service>
    </s:authentication-provider>

    Note that this is different from the WSSecurity keystores etc. In the above example, we use a hard coded in-memory user credential store. A slight alternative is to store password digests instead. A more scalable way is to bind this against a DB or LDAP etc via Spring security. Note that you will need to define the "s:" namespace as in example #110

    PS: you can use http://www.htmlescape.net/htmlescape_... to escape HTML if you have XML in your questions, we have asked GetSatisfaction folks to fix this ..
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • Asankha,

    thanks for the reply.Going back to example 204... I am getting an exception

    org.adroitlogic.soapbox.SecurityFailureException: WS-Security failure - Message is not UT Authenticated.


    I am using the ws-secured-request.xml as suggested.

    I am also using the default keystore of UltraESB @ /samples/conf/keys/ws-sec-keystore.jks

    Do I need to follow any additional steps to authentictae the request.

    Here is the exception log

    org.adroitlogic.soapbox.SecurityFailureException: WS-Security failure - Message

    is not UT Authenticated

    at org.adroitlogic.soapbox.processor.ProcessUTAuthenticatedMessage.proce

    ss(ProcessUTAuthenticatedMessage.java:90)

    at org.adroitlogic.soapbox.WSSecurityManager.verifyUsernameTokenAuthenti

    cation(WSSecurityManager.java:454)

    at echo_proxy_inSequence.execute(echo_proxy_inSequence.java from JavaSou

    rce:5)

    at org.adroitlogic.ultraesb.core.Sequence.execute(Sequence.java:229)

    at org.adroitlogic.ultraesb.core.ProxyService.processFlow(ProxyService.j

    ava:190)

    at org.adroitlogic.ultraesb.core.ProxyService.doRealWork(ProxyService.ja

    va:171)

    at org.adroitlogic.ultraesb.core.work.SimpleQueueWorkManager.doRealWork(

    SimpleQueueWorkManager.java:284)

    at org.adroitlogic.ultraesb.core.work.SimpleQueueWorkManager.access$000(

    SimpleQueueWorkManager.java:59)

    at org.adroitlogic.ultraesb.core.work.SimpleQueueWorkManager$1.run(Simpl

    eQueueWorkManager.java:230)

    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExec

    utor.java:886)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor

    .java:908)

    at java.lang.Thread.run(Thread.java:662)



    SecurityManagerConfiguration

    ...........

    ............

    <bean id="wssecMgr" class="org.adroitlogic.soapbox.WSSecurityManager">

    <constructor-arg value="samples/conf/keys/ws-sec-keystore.jks"/>

    <constructor-arg value="password"/>

    <constructor-arg>

    <map>

    <entry key="alice" value="password"/>

    <entry key="bob" value="password"/>

    </map>

    </constructor-arg>

    </bean>

    ..............
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • If you are trying out the example request "ws-secured-request.xml" - yes, its not using any UsernameToken authentication - and hence the expected error. That sample message could only be used for the encryption/signature/timestamp samples.

    The sample message you attached earlier however contains a "wsse:UsernameToken" element.. Can you try with a real request which is properly UT authenticated? You could also change the WSSecTest JUnit test file using WSS4J if you want to generate a sample. Alternatively, you can use another proxy service to make any incoming message have UT authentication (e.g. See "hello-proxy" in Sample 204)
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • We have been able to set up a service with rampart.
    The client is now sending encrypted password digest. The authentication is also working at the provider end.
    We want to transfer the authentication mechanism to mediator class.
    Could you please provide us any help on that.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • Your question is not clear to me.. I think what you are looking for is a custom method to validate the password against the user name?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • The request header contains the username, password digest, nonce and timestamp. What we are looking for is an API support from UltraESB to validate the password. Otherwise, we may go for a custom validator method. Moreover, is there any additional configuration we need to do.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • The current WSS UT authentication with clear text passwords requires a Nonce and Created values to ensure adequate security. We have written the code to be possible to turn this off if required, but our public API does not expose this feature. We have filed an enhancement https://bitbucket.org/adroitlogic/ult... but, we recommend using a Nonce and Created (to ensure that requests are fresh, and not replay attacks) and possibly Digest passwords if request is not over SSL

    asankha
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • As per the private emails, and the call I am closing this thread as resolved
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited