StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POAuthenticating a WS-Security UsernameToken against a GlassFish realm gives "Authentication refused"
text
Body
copied!<p>I have a SOAP webservice declared using @WebService in an EJB subproject of an EAR running in GlassFish 3.1.1 using its bundled Metro runtime. It's been annotated with the usual @DeclareRoles and @RolesAllowed, on the class level.</p> <p>I have a WSIT descriptor for authentication using a simple plaintext-password UsernameToken.</p> <p>In the EAR's glassfish-application.xml, I specify the realm as the standard file realm that comes with GlassFish. To this realm I have added a user for testing, belonging to a specific group. This group is mapped to the role I specified in glassfish-ejb-jar.xml.</p> <p>I also enabled the Security Manager in GlassFish, as well as auditing. I restarted the server after doing this.</p> <p>I have generated a client and set the username and password in callback handlers. I log to make sure the credentials are indeed set. I have also tried to set the credentials like this:</p> <pre><code>Map<String, Object> requestContext = ((BindingProvider)port).getRequestContext(); requestContext.put(BindingProvider.USERNAME_PROPERTY, "myUsername"); requestContext.put(BindingProvider.PASSWORD_PROPERTY, "myPassword"); </code></pre> <p>When I call the service, I get this on the server:</p> <pre><code>INFO: SEC5046: Audit: Authentication refused for [myUsername]. INFO: SEC1201: Login failed for user: myUsername SEVERE: WSS1408: UsernameToken Authentication Failed SEVERE: WSITPVD0035: Error in Verifying Security in Inbound Message. com.sun.xml.wss.impl.WssSoapFaultException: Authentication of Username Password Token Failed at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:158) at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:164) at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:341) at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:275) at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:225) at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:586) at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:360) at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:263) at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:173) at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:144) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482) at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314) at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:608) at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:259) at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:162) at org.glassfish.webservices.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:120) at org.glassfish.webservices.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:91) at org.glassfish.webservices.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:200) at org.glassfish.webservices.EjbWebServiceServlet.service(EjbWebServiceServlet.java:131) (Rest is snipped away) </code></pre> <p>and I get this on the client:</p> <pre><code>Authentication of Username Password Token Failed javax.xml.ws.soap.SOAPFaultException: Authentication of Username Password Token Failed at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189) at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189) at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140) </code></pre> <p>I then created a simple servlet/JSP project and added a security restriction on the realm. Authentication using the same user works in this case.</p> <p>The WS-Security policy looks like this:</p> <pre><code> <ns1:Policy xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/09/policy" wsu:Id="MyServicePortBindingPolicy"> <ns1:ExactlyOne> <ns1:All> <ns2:SupportingTokens xmlns:ns2="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <ns1:Policy> <ns1:ExactlyOne> <ns1:All> <ns2:UsernameToken ns2:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> <ns1:Policy> <ns1:ExactlyOne> <ns1:All> <ns2:WssUsernameToken10 /> </ns1:All> </ns1:ExactlyOne> </ns1:Policy> </ns2:UsernameToken> </ns1:All> </ns1:ExactlyOne> </ns1:Policy> </ns2:SupportingTokens> <ns3:UsingAddressing xmlns:ns3="http://www.w3.org/2006/05/addressing/wsdl" /> </ns1:All> </ns1:ExactlyOne> </ns1:Policy> </code></pre> <p>What's going wrong here? Any suggestions highly appreciated.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload