7 Replies Latest reply on Jan 8, 2013 3:01 PM by 870199

    problems with JAX-WS when using security (e.g. username token profile)

      I am deploying a web service on weblogic 11g (10.3.1) with this policy:
      @Policy(uri = "policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",attachToWsdl=true)

      I have another web application as client which is using a JAX-WS SOAP handler to communicate with web service
      and everything works fine when my client is deployed on tomcat 6 (JRE 6) (anthentication goes through)

      The handleMessage() method of my handler is posted here :

           public boolean handleMessage(SOAPMessageContext context) {
           m_logger.debug("UserNameTokenHandler handleMessage() called");
           Boolean outboundProperty = (Boolean) context.get (MessageContext.MESSAGE_OUTBOUND_PROPERTY);
           SOAPMessage message =context.getMessage();
      if (outboundProperty.booleanValue()) {
           m_logger.debug("\n (client protocol handler) Outbound message:");
      try {

           SOAPEnvelope envelope = context.getMessage().getSOAPPart().getEnvelope();
           SOAPHeader header = envelope.getHeader();
           if (header == null ) {
                header = envelope.addHeader();
           SOAPElement security = header.addChildElement("Security", "wsse", WSSE_NAMESPACE);
           SOAPElement usernameToken = security.addChildElement("UsernameToken", "wsse");
           usernameToken.addAttribute(new QName("xmlns:wsu"), WSU_NAMESPACE);
           SOAPElement username = usernameToken.addChildElement("Username", "wsse");
           SOAPElement password = usernameToken.addChildElement("Password", "wsse");


           } catch (Exception e) {
                m_logger.error("Failed to add username token profile security", e);
      } else {
           m_logger.debug("\n (client protocol handler) Inbound message:");

      return true;

      but when I deploy the same client on weblogic server it fails to communicate with my web service with this error:
      javax.xml.ws.soap.SOAPFaultException: Unable to add security token for identity, token uri =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken

      I noticed Weblogic has some packages to handle security like:

      So I added another mechanism using weblogic package to add username password to SOAP header

      Map<String, Object> request = ((BindingProvider) proxy).getRequestContext();
                if (connectInfo.get("username") != null && connectInfo.get("password") != null) {
                List<CredentialProvider> credProviders = new ArrayList<CredentialProvider>();
                //client side UsernameToken credential provider
                CredentialProvider cp = new ClientUNTCredentialProvider((String)connectInfo.get("username"),
                request.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);      

      This seems to be ok but only for weblogic.
      I don't want to have one client for deploying on weblogic and another one for JAX-WS
      I suppose weblogic follows the standard and should support the original approach.
      Is this an incompatibly issue or am i missing something
        • 1. Re: problems with JAX-WS when using security (e.g. username token profile)
          Ravi Jegga
          In one of WLP Pageflows, I invoke a SOA BPEL WebService that needs Security Header like the way you have. I have my own Handler class and I call the below private method in handleMessage(...) and so far it is working fine. Security Header is adding fine.

          One difference I could see in your method and my method is when we create SOAPElement for "Security" Tag, at the time of creation itself, I pass the third argument also that is the namespace. I remember vaguely, when I used code like yours, like first instantiate with only 2 args. Then set the namespace. It did not work. So I used the API, that takes the namespace as third argument.

          So try something like below. This is a working code snipped deployed on WLP 10.3 (WLP is on top of WLS 10.3).

          Ravi Jegga

               private void setSOAPSecurityHeader(SOAPEnvelope soapEnvelope) throws Exception {
                    try {
                         //soapEnvelope.addNamespaceDeclaration("soap", "http://schemas.xmlsoap.org/soap/envelope/");
                         soapEnvelope.addNamespaceDeclaration("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");

                         SOAPHeader header = soapEnvelope.addHeader();

                         String namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
                         SOAPElement securityElement = header.addHeaderElement(soapEnvelope.createName("Security", "wsse", namespace));

                         securityElement.addNamespaceDeclaration("", namespace);
                         //securityElement.addNamespaceDeclaration("env", "http://schemas.xmlsoap.org/soap/envelope/");

                         SOAPElement usernameTokenElement = securityElement.addChildElement(soapEnvelope.createName("UsernameToken", "wsse", namespace));
                         usernameTokenElement.addNamespaceDeclaration("", namespace);

                         SOAPElement usernameElement = usernameTokenElement.addChildElement(soapEnvelope.createName("Username"));
                         SOAPElement passwordElement = usernameTokenElement.addChildElement(soapEnvelope.createName("Password"));

                         // For Testing Purposes only hardcoded this username and password values. Later on this may be set dynamically

                         //SOAPBody soapBody = soapEnvelope.getBody();
                         //SOAPHeader soapHeader = soapEnvelope.getHeader();
                    } catch (Exception e) {
                         // Handle This error in the main method that is calling this private method. So just return the Exception as it is...
                         throw e;
          • 2. Re: problems with JAX-WS when using security (e.g. username token profile)
            Thanks Ravi,
            I am passing namespace URL in my code,
            "SOAPElement security = header.addChildElement("Security", "wsse", WSSE_NAMESPACE);"

            the only difference I noticed is that you are using addHeaderElement while I used addChildElement .
            just to be sure I updated my code to be similar to your API call. but I get the same error
            in both cases when I log the outbound message I can see the security header

            *<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Header><wsse:Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis*
            *-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:*
            UsernameToken><Username>weblogic</Username><Password>welcome1</Password></wsse:UsernameToken></wsse:Security></S:Header><S:Body><ns2:getDmsConfig xmlns:ns2="artifact.wsclient.vuelink.cimmetry.com"/></S:Body></S:Envelope>

            but I still get this error in my method call.
            javax.xml.ws.soap.SOAPFaultException: Unable to add security token for identity, token uri =http://docs.oasis-open.org/wss/2004/01/oasis-200
                 at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:196)
                 at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
                 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
                 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
                 at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
            • 3. Re: problems with JAX-WS when using security (e.g. username token profile)
              Hi R.E.,
              The JAX-WS impl within WebLogic will interpret the WSDL you specified. If the WSDL contains UNT policy, the only way to call this endpoint is to use the weblogic proprietary style. A workaround for your handler solution is that you create a clean WSDL without UNT policy and point to this local wsdl when you initialize your client. Maybe it would work.
              Good luck!

              • 4. Re: problems with JAX-WS when using security (e.g. username token profile)
                Thanks LJ,

                The policy that I have in my web service is standard Https UserNameToken WS-Security Policy. I believe my first client code is ok because i can deploy it successfully on Tomcat 6 (JRE 6) without any weblogic library while my web service is deployed on weblogic. for this to work I've imported the weblogic server certificate into tomcat JRE for the "https" part of policy and then i put correct user/pass into SOAP header using the handler class, and voila communication goes through.
                My problem is when I deploy the same client code on weblogic (webservice and webservice-client both on same weblogic but different web context). in this case i get that error message that I mentioned above.
                if i update my client code to use weblogic packages to set the user/pass instead of JAX-WS then I don't get the error but I end up with a client that cannot be deployed on other app servers anymore. I want to avoid propitiatory code for WS-Security and I believe weblogic should be supporting JAX-WS client, unless I'm missing something here.
                • 5. Re: problems with JAX-WS when using security (e.g. username token profile)
                  Hi, I have been struggling with exact same issue from long time, were you able to find the solution you faced in here?
                  • 6. Re: problems with JAX-WS when using security (e.g. username token profile)
                    it is better to open a new thread this is very old thread.