tomcat - Securing Web Service with UsernameToken profile 1.0 using Axis2 and Rampart -

this first question in stack overflow.

i'm not expert java programmer have previous experience language , diffent ides.

i have scenario customer requires given wsdl create service must authenticated using usernametoken profile 1.0 oasis standard 200401. secured under ssl on production servers.

i've been doing research , tried implement different cases , arrived @ point nothing working me.

i'm using :

• eclipse base ide
• axis2 v1.6.3
• rampart v1.6.2
• rahas v1.6.2

to ilustrate current situation, here show structure eclipse creates me when generating java bean service structure wsdl eclipse base ide.

https://dl.dropboxusercontent.com/u/71031985/schema.png

configuration applied:

in webcontent/web-inf/conf/axis2.xml enable rampart module , passwordcallbackclass able handle username , password provided in soap headers.

<module ref="rampart" />  <parameter name="inflowsecurity">     <action>         <items>usernametoken</items>         <passwordcallbackclass>             servicemanager.serviceauthusernametoken         </passwordcallbackclass>         <passwordtype>passwordtext</passwordtype>     </action> </parameter>  ... 

in file located in /webcontent/web-inf/services/proveedorcentrotfws/meta-inf/services.xml place rampart policy able accomplish usernametoken requirement:

    <wsp:policy wsu:id="utovertransport" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:exactlyone>   <wsp:all>     <sp:transportbinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">       <wsp:policy>         <sp:transporttoken>           <wsp:policy>             <sp:httpstoken requireclientcertificate="false"/>           </wsp:policy>         </sp:transporttoken>         <sp:algorithmsuite>           <wsp:policy>             <sp:basic128/>           </wsp:policy>         </sp:algorithmsuite>         <sp:layout>           <wsp:policy>             <sp:lax/>           </wsp:policy>         </sp:layout>         <sp:includetimestamp/>       </wsp:policy>     </sp:transportbinding>     <sp:signedsupportingtokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">         <wsp:policy>             <sp:usernametoken sp:includetoken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/includetoken/alwaystorecipient" />       </wsp:policy>     </sp:signedsupportingtokens>      <ramp:rampartconfig xmlns:ramp="http://ws.apache.org/rampart/policy">          <ramp:passwordcallbackclass>servicemanager.serviceauthusernametoken</ramp:passwordcallbackclass>     </ramp:rampartconfig>    </wsp:all> </wsp:exactlyone> 

when performing call test client provided customer (and cannot modified) sends following soap message:

    <?xml version='1.0' encoding='utf-8'?><soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:header xmlns:wsa="http://www.w3.org/2005/08/addressing">     <wsse:security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustunderstand="1">         <wsse:usernametoken wsu:id="usernametoken-3">             <wsse:username>username</wsse:username>             <wsse:password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#passwordtext">definedpwd</wsse:password>         </wsse:usernametoken>     </wsse:security>     <wsa:to>http://localhost:8080/proveedorcentrotfws</wsa:to>     <wsa:messageid>urn:uuid:f2fb54d9-8957-49a2-88a7-de6d209e6d35</wsa:messageid>     <wsa:action>getactionlist</wsa:action> </soapenv:header> <soapenv:body>     <ns3:getactionlistxmlns:ns3="http://impl.ws.application.proveedorcentro.meyss.spee.es" /> </soapenv:body> 

the error returned following 1 once soap message sent:

    java.lang.runtimeexception: malformed uri: usernametokenpolicy 

and stack trace follows is:

    org.apache.neethi.policyreference.getremotereferencedpolicy(policyreference.java:155) org.apache.neethi.policyreference.normalize(policyreference.java:110) org.apache.axis2.util.policyutil.getmergedpolicy(policyutil.java:267) org.apache.axis2.description.axisbindingmessage.calculateeffectivepolicy(axisbindingmessage.java:294) org.apache.axis2.description.axisbindingmessage.geteffectivepolicy(axisbindingmessage.java:225) org.apache.axis2.context.messagecontext.geteffectivepolicy(messagecontext.java:1617) org.apache.rampart.rampartmessagedata.<init>(rampartmessagedata.java:233) org.apache.rampart.messagebuilder.build(messagebuilder.java:61) org.apache.rampart.handler.rampartsender.invoke(rampartsender.java:65) org.apache.axis2.engine.phase.invokehandler(phase.java:340) org.apache.axis2.engine.phase.invoke(phase.java:313) org.apache.axis2.engine.axisengine.invoke(axisengine.java:262) org.apache.axis2.engine.axisengine.sendfault(axisengine.java:516) org.apache.axis2.transport.http.axisservlet.handlefault(axisservlet.java:433) org.apache.axis2.transport.http.axisservlet.dopost(axisservlet.java:216) javax.servlet.http.httpservlet.service(httpservlet.java:648) javax.servlet.http.httpservlet.service(httpservlet.java:729) org.apache.tomcat.websocket.server.wsfilter.dofilter(wsfilter.java:52) 

i checked , every way try make accept soap messages, cannot make work.

thanks support , attention

the solution problem provided wsdl misses parts able autenticate under usernametoken profile 1.0 oasis standard 200401.

found solution under ibm page ws-security metro.

in wsdl document, under binding tag policy reference:

<wsp:policyreference uri="#usernametokenpolicy" wsdl:required="true"/> 

reading online documentation saw pointing , it's necessary add policy entry @ same wsld file next 1 having identifier name (#usernametokenpolicy) or desired name of policy want apply:

<wsp:policy wsu:id="usernametokenpolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <sp:supportingtokens     xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">     <wsp:policy>         <sp:usernametoken             sp:includetoken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/includetoken/alwaystorecipient">             <wsp:policy>                 <sp:wssusernametoken11 />             </wsp:policy>         </sp:usernametoken>     </wsp:policy> </sp:supportingtokens> <wsss:validatorconfiguration wspp:visibility="private"       xmlns:wsss="http://schemas.sun.com/2006/03/wss/server"       xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy">     <wsss:validator name="usernamevalidator" classname="[packagename].[callbackvalidatorname]"/>     </wsss:validatorconfiguration> </wsp:policy> 

once done, need create callback validator responibility process header credentials of soap request, next example provided:

package [packagename];   import com.sun.xml.wss.impl.callback.passwordvalidationcallback; import java.io.ioexception; import javax.security.auth.callback.callback; import javax.security.auth.callback.unsupportedcallbackexception;  public class [callbackvalidatorname] implements passwordvalidationcallback.passwordvalidator{  @override public boolean validate(passwordvalidationcallback.request request) throws passwordvalidationcallback.passwordvalidationexception {      passwordvalidationcallback.plaintextpasswordrequest ptreq;      ptreq = (passwordvalidationcallback.plaintextpasswordrequest) request;      return "[harcoded_username]".equals(ptreq.getusername()) &&         "[harcoded_pwd]".equals(ptreq.getpassword()); } } 

once done, must able autenticate soap message matches usernametoken profile 1.0 oasis standard 200401 under java web service @ server side.