wse (.net) client to wss4j web service allows all passwords, why?

Hi,

I’m trying to do the simplest security implementation before trying anything
more complex. I have a web service written in java and I’m trying to
implement security with wss4j. I have a .NET client and I’m trying to use
WSE 3.0 to securely connect to my java web service. So I’m testing with a
hard-coded userid and password (for now), using Username tokens and sending
plain text (and not even over SSL). Testing with a java client, everything
works fine! Testing with the .NET client, wss4j accepts any password and any
userid (as long as my callback method does not throw an exception). (So I
added a “throw exception” if the userid was not found and that works to fail
the userid.) But I can’t really get wss4j to validate the password when the
request is coming from .net/wse. Any ideas? Code details below.

For wss4j, my server-config.wsdd file contains this: (NOTE: it throws an
exception without the Timestamp)

<handler type="javarg.apache.ws.axis.security.WSDoAllRece iver">
<parameter name="passwordCallbackClass" value="PWCallback"/>
<parameter name="action" value="UsernameToken Timestamp"/>
<!-- NOTE: add Timestamp to be compatible with WSE on the .net side -->
</handler>

My callback class is very basic:

public class PWCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {

for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];

if ("wss4j".equals(pc.getIdentifer())) {
pc.setPassword("security");
} else {
// doing this actually shows up as "Callback supplied
// no password for: wss4j"
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback"); }
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}
}

In .NET, I’ve added the reference to Microsoft.Web.Services3 and went
through the WSE Settings 3.0 wizard: checked Enable this project for Web
Services Enhancements, checked Enable Policy and added the
usernameTokenSecurity policy, and left everything else as defaults. Thus, my
wse3policyCache.config looks like this:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverT ransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireAction HeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" />
</extensions>
<policy name="usernameTokenSecurity">
<usernameOverTransportSecurity />
<requireActionHeader />
</policy>
</policies>

Then refreshing my Web Reference gives me the WSE version of my web service
proxy. And the calling code looks like this:

using Microsoft.Web.Services3.Security;
using Microsoft.Web.Services3.Security.Tokens;

UsernameToken token = new UsernameToken(“wss4j”, "security",
PasswordOption.SendPlainText);
wsProxy = new myJavaWebServiceWse();
wsProxy.SetClientCredential(token);
wsProxy.SetPolicy("usernameTokenSecurity");
String strXML = wsProxy.getTest();

Again with the .net/wse client, wss4j seems to allow any password and an
extra “throw exception” is needed to truly validate the userid. This is not
the case with my java client; it works fine. And I have not been able to
google anything on this.

Thanks

Quote:

Hi,

I’m trying to do the simplest security implementation before trying anything
more complex. I have a web service written in java and I’m trying to
implement security with wss4j. I have a .NET client and I’m trying to use
WSE 3.0 to securely connect to my java web service. So I’m testing with a
hard-coded userid and password (for now), using Username tokens and sending
plain text (and not even over SSL). Testing with a java client, everything
works fine! Testing with the .NET client, wss4j accepts any password and any
userid (as long as my callback method does not throw an exception). (So I
added a “throw exception” if the userid was not found and that works to fail
the userid.) But I can’t really get wss4j to validate the password when the
request is coming from .net/wse. Any ideas? Code details below.

For wss4j, my server-config.wsdd file contains this: (NOTE: it throws an
exception without the Timestamp)

handler type="javarg.apache.ws.axis.security.WSDoAllRece iver"
parameter name="passwordCallbackClass" value="PWCallback"/
parameter name="action" value="UsernameToken Timestamp"/
!-- NOTE: add Timestamp to be compatible with WSE on the .net side --
/handler

My callback class is very basic:

public class PWCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {

for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];

if ("wss4j".equals(pc.getIdentifer())) {
pc.setPassword("security");
} else {
// doing this actually shows up as "Callback supplied
// no password for: wss4j"
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback"); }
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}
}

In .NET, I’ve added the reference to Microsoft.Web.Services3 and went
through the WSE Settings 3.0 wizard: checked Enable this project for Web
Services Enhancements, checked Enable Policy and added the
usernameTokenSecurity policy, and left everything else as defaults. Thus, my
wse3policyCache.config looks like this:

policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"
extensions
extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverT ransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" /
extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireAction HeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" /
/extensions
policy name="usernameTokenSecurity"
usernameOverTransportSecurity /
requireActionHeader /
/policy
/policies

Then refreshing my Web Reference gives me the WSE version of my web service
proxy. And the calling code looks like this:

using Microsoft.Web.Services3.Security;
using Microsoft.Web.Services3.Security.Tokens;

UsernameToken token = new UsernameToken(“wss4j”, "security",
PasswordOption.SendPlainText);
wsProxy = new myJavaWebServiceWse();
wsProxy.SetClientCredential(token);
wsProxy.SetPolicy("usernameTokenSecurity");
String strXML = wsProxy.getTest();

Again with the .net/wse client, wss4j seems to allow any password and an
extra “throw exception” is needed to truly validate the userid. This is not
the case with my java client; it works fine. And I have not been able to
google anything on this.

Thanks

Have you tried the same using a .Net Service secured with WSE 3
and a java client referenced to axis (1.2, 1.3, 1.4)?
I have no problem using axiom but when I try the same with other axis releases I get the error :
"AxisFault
faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
faultSubcode:
faultString: Microsoft.Web.Services3.Security.SecurityFault: Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.
...
"

BizTalk Utilities - Frustration free BizTalk Adapters
http://www.topxml.com/biztalkutilities