Problem with UserToken Authentication

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with UserToken Authentication

azielinski
This post has NOT been accepted by the mailing list yet.
Hello,

At the moment I try to call a web service from a BPEL module which uses username token authentication and secure conversation afterwards. I designed the BPEL-process that the BPEL WSDL file contains the same WS-Security stuff like the WSDL from web service. After this build the composite application and deploy it into the OpenESB standalone server. For the OpenESB server I copied the key and trust-store into the instance folder, with same name like it was written in openesb.bat file. If I test this with a web client I got 'Invalid Security Header' error back.

The web service itself is working so far, because I called it directly from a web client without problems.

I got the following exceptions on Glassfish server (OpenESB Standalone with Netbeans IDE):

SEVERE [javax.enterprise.resource.xml.webservices.security] (httpWorkerThread-9080-2) WSS0225: Exception occured in Password Validation Callback
com.sun.xml.wss.XWSSecurityException: Error: Could not locate default username validator for the container
        at com.sun.xml.wss.impl.misc.DefaultRealmAuthenticationAdapter.authenticate(DefaultRealmAuthenticationAdapter.java:197)
        at com.sun.xml.wss.RealmAuthenticationAdapter.authenticate(RealmAuthenticationAdapter.java:93)
        at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.authenticateUser(DefaultSecurityEnvironmentImpl.java:1172)
        at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:160)
        at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityHeaderProcessor.createHeader(SecurityHeaderProcessor.java:192)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleEncryptedData(SecurityRecipient.java:645)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:459)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:291)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:241)
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:450)
        at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
        at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)
        at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)
        at com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)
        at com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)
        at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)
        at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:483)
        at com.sun.jbi.httpsoapbc.embedded.JAXWSGrizzlyRequestProcessor.processAsynchRequest(JAXWSGrizzlyRequestProcessor.java:411)
        at com.sun.jbi.httpsoapbc.embedded.JAXWSGrizzlyRequestProcessor.service(JAXWSGrizzlyRequestProcessor.java:226)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
        at com.sun.jbi.httpsoapbc.embedded.JBIGrizzlyAsyncFilter.doFilter(JBIGrizzlyAsyncFilter.java:95)
        at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.invokeFilters(DefaultAsyncExecutor.java:175)
        at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.interrupt(DefaultAsyncExecutor.java:153)
        at com.sun.enterprise.web.connector.grizzly.async.AsyncProcessorTask.doTask(AsyncProcessorTask.java:92)
        at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
        at com.sun.enterprise.web.connector.grizzly.WorkerThreadImpl.run(WorkerThreadImpl.java:116)

SEVERE [com.sun.xml.wss.jaxws.impl] (httpWorkerThread-9080-2) WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Error: Could not locate default username validator for the container
        at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.authenticateUser(DefaultSecurityEnvironmentImpl.java:1179)
        at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:160)
        at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityHeaderProcessor.createHeader(SecurityHeaderProcessor.java:192)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleEncryptedData(SecurityRecipient.java:645)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:459)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:291)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:241)
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:450)
        at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
        at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)
        at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)
        at com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)
        at com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)
        at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)
        at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:483)
        at com.sun.jbi.httpsoapbc.embedded.JAXWSGrizzlyRequestProcessor.processAsynchRequest(JAXWSGrizzlyRequestProcessor.java:411)
        at com.sun.jbi.httpsoapbc.embedded.JAXWSGrizzlyRequestProcessor.service(JAXWSGrizzlyRequestProcessor.java:226)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
        at com.sun.jbi.httpsoapbc.embedded.JBIGrizzlyAsyncFilter.doFilter(JBIGrizzlyAsyncFilter.java:95)
        at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.invokeFilters(DefaultAsyncExecutor.java:175)
        at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.interrupt(DefaultAsyncExecutor.java:153)
        at com.sun.enterprise.web.connector.grizzly.async.AsyncProcessorTask.doTask(AsyncProcessorTask.java:92)
        at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
        at com.sun.enterprise.web.connector.grizzly.WorkerThreadImpl.run(WorkerThreadImpl.java:116)
Caused by: com.sun.xml.wss.XWSSecurityException: Error: Could not locate default username validator for the container
        at com.sun.xml.wss.impl.misc.DefaultRealmAuthenticationAdapter.authenticate(DefaultRealmAuthenticationAdapter.java:197)
        at com.sun.xml.wss.RealmAuthenticationAdapter.authenticate(RealmAuthenticationAdapter.java:93)
        at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.authenticateUser(DefaultSecurityEnvironmentImpl.java:1172)

I don't know if this can be related to the realm user in Glassfish server. I would expect in this case an error message which indicates wrong user or password.
Also, I don't know it is possible to administrate users in OpenESB server (Glassfish) directly, like you can do it with the standard Glassfish management console.  I try at the moment to use the admin credentials.

Thanks in advance.
Regards,
Andre
Reply | Threaded
Open this post in threaded view
|

Re: Problem with UserToken Authentication

Paul Perez
Administrator
This post has NOT been accepted by the mailing list yet.
Hello Andre,

May be this document could be useful for you
http://open-esb.net/files/OpenESB%20Documents/Papers/OpenESB-SSLInstallationProcess.pdf 

regards

paul

PS: May be you have to be logged on the web site to access
www.pymma.com The best services on OpenESB
Reply | Threaded
Open this post in threaded view
|

Re: Problem with UserToken Authentication

azielinski
This post has NOT been accepted by the mailing list yet.
Hello Paul,

Thanks for your response.
The document covers unfortunately not my kind of problem.

In the meantime I managed to call the secured web service from within a BPEL process. The call of the BPEL process doesn't use any security at all, only internal to call the secured web service.
The problem begins if I activate the same security (username authentication with symmetric key and secure conversation) like the secured web service is using. In this case the server throws the exceptions from above.
The exceptions look like that an username validator is missing.

I will try now to protect the BPEL process with SSL and just call internal the secured web service.

Regards,
Andre
Reply | Threaded
Open this post in threaded view
|

Re: Problem with UserToken Authentication

Paul Perez
Administrator
This post has NOT been accepted by the mailing list yet.
Hello Andree
Please find the document  in Attachment
OpenESB-SSLInstallationProcess.pdf

please let me know if it is convenient for you

regards

Paul
www.pymma.com The best services on OpenESB
Reply | Threaded
Open this post in threaded view
|

Re: Problem with UserToken Authentication

azielinski
This post has NOT been accepted by the mailing list yet.
Hello Paul,

I tried the SSL communication, but ran into problems. According to the document, which you attached to this thread, the Http BC has a problem with SSL. I tried to follow the link in this document to get a working version of this component, but Google drive tells me that I need permission to download it.
Is it possible to get this permission, or can you provide this component somehow differently?

Thanks and regards,
Andre
Reply | Threaded
Open this post in threaded view
|

Re: Problem with UserToken Authentication

Paul Perez
Administrator
This post has NOT been accepted by the mailing list yet.
Hi Andre,
Unfortunately I have not the right on the Google drive as well.
Nevertheless, may be could you contact askay at akshay.thakur1388@gmail.com to Get it.
Another solution is to download the last build of the components. AFAIK, improvement have been made on the HTTP.
Now if that still not work, let me known directly we will try to find a solution for you.

regards

Paul

www.pymma.com The best services on OpenESB