Error setting up ws-security (Apache Rampart/C) for UsernameToken authentication and NO encryption

0
votes

I'm having problems setting up AXIS2/C web services (axis2/c 1.6.0) with Apache Rampart/C 1.3.0 (not to be confused with their java counterparts, aka just "axis2" and "rampart") for UsernameToken authentication. I want NO encryption because I'm trying to test this with SoapUI first; when I get this working I'll add the encryption stuff (I couldn't set up Rampart/c without security policy either, it just gives me a configuration error). The webservice works perfectly fine without Rampart. But when I try to configure Rampart for the security, I get this error in the response:

<soapenv:Fault>
     <faultcode>soapenv:Client</faultcode>
     <faultstring>No Error</faultstring>
</soapenv:Fault>

When I go to the Axis2 logs, I find the following errors:

[Thu May 16 12:17:59 2013] [debug] rampart_sec_header_processor.c(1815) [rampart]Processing security header in Strict layout
[Thu May 16 12:17:59 2013] [debug] rampart_sec_header_processor.c(1824) [rampart]Processing security header element (null)
[Thu May 16 12:17:59 2013] [error] rampart_sec_header_processor.c(1908) [rampart]Unknown security header (null)
[Thu May 16 12:17:59 2013] [error] rampart_sec_header_processor.c(1915) [rampart](null) processing failed
[Thu May 16 12:17:59 2013] [error] rampart_in_handler.c(143) [rampart][rampart_in_handler] Security Header processing failed.

This is quite odd, as if it couldn't find the Security Header at all. I'm suspecting the SOAP Request might have something wrong, but I have no idea what that might be. Or perhaps I found a rare Rampart/c bug?

For the username and password, I used the callback .so provided with the Rampart samples, and with the username "Alice" and password "abcd!1234".

Here's the full listing for the relevant files (IP addresses redacted):

services.xml:

<service name="ws_vacaciones">
    <parameter name="wsdl_path">/informix/AXIS2C/services/ws_vacaciones/ws_vacaciones.wsdl</parameter>
    <parameter name="ServiceClass">ws_vacaciones</parameter>
    <description> I4GL-SOA Published Service - ws_vacaciones </description>

    <module ref="rampart"/>
    <operation name="ve_traba"/>

    <wsp:Policy
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:sec="http://schemas.xmlsoap.org/ws/2012/12/secext"
      xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                  <wsp:Policy>
                     <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
                  </wsp:Policy>
                  <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
                    <rampc:User>Alice</rampc:User>
                    <rampc:PasswordType>PasswordText</rampc:PasswordType>
                    <rampc:PasswordCallbackClass>/informix/AXIS2C/samples/lib/rampartc/libpwcb.so</rampc:PasswordCallbackClass>
                  </rampc:RampartConfig>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
</service>

services.xml (alternative; gives same error):

<service name="ws_vacaciones">
    <parameter name="wsdl_path">/informix/AXIS2C/services/ws_vacaciones/ws_vacaciones.wsdl</parameter>
    <parameter name="ServiceClass">ws_vacaciones</parameter>
    <parameter name="InflowSecurity">
        <action>
           <items>UsernameToken</items>
           <passwordCallbackClass>/informix/AXIS2C/samples/lib/rampartc/libpwcb.so</passwordCallbackClass>
        </action>
    </parameter>

    <description> I4GL-SOA Published Service - ws_vacaciones </description>
    <module ref="rampart"/>
    <operation name="ve_traba"/>

    <wsp:Policy
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:sec="http://schemas.xmlsoap.org/ws/2012/12/secext"
      xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                  <wsp:Policy>
                     <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
                  </wsp:Policy>
                  <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
                    <rampc:User>Alice</rampc:User>
                    <rampc:PasswordType>PasswordText</rampc:PasswordType>
                    <rampc:PasswordCallbackClass>/informix/AXIS2C/samples/lib/rampartc/libpwcb.so</rampc:PasswordCallbackClass>
                  </rampc:RampartConfig>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
</service>

SOAPUI request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
  xmlns:ws="http://XX.XX.XX.XXX:9090/axis2/services/ws_vacaciones"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="0">
      <!-- set to 0 for debugging purposes; using 1 gives same errors -->
          <wsse:UsernameToken wsu:Id="blah">
              <wsse:Username>Alice</wsse:Username>
              <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">abcd!1234</wsse:Password>
              <wsu:Created>2013-05-14T15:15:00</wsu:Created>
              <wsu:Expires>2019-05-14T15:15:00</wsu:Expires>
          </wsse:UsernameToken>   
      </wsse:Security>    
   </soapenv:Header>
   <soapenv:Body>
      <ws:ve_traba_request>
         <ws:employeeid>12345</ws:employeeid>
         <ws:date>2013-04-09</ws:date>
      </ws:ve_traba_request>
   </soapenv:Body>
</soapenv:Envelope>

RESPONSE:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header/>
   <soapenv:Body>
      <soapenv:Fault>
         <faultcode>soapenv:Client</faultcode>
         <faultstring>No Error</faultstring>
      </soapenv:Fault>
   </soapenv:Body>
</soapenv:Envelope>

axis2.log (relevant parts):

[Thu May 16 12:17:54 2013] [info]  Starting HTTP server thread
[Thu May 16 12:17:59 2013] [debug] http_worker.c(200) Client HTTP version HTTP/1.1
[Thu May 16 12:17:59 2013] [debug] soap_builder.c(930) Identified soap version is soap11
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler request_uri_based_dispatcher within the phase Transport
[Thu May 16 12:17:59 2013] [debug] req_uri_disp.c(100) Checking for service using target endpoint address : http://XX.XX.XXX.XX:9090/axis2/services/ws_vacaciones
[Thu May 16 12:17:59 2013] [debug] req_uri_disp.c(121) Service found using target endpoint address
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler AddressingInHandler within the phase Transport
[Thu May 16 12:17:59 2013] [info]  Starting addressing in handler
[Thu May 16 12:17:59 2013] [info]  addr_in_handler.c
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler addressing_based_dispatcher within the phase Transport
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler rest_dispatcher within the phase Dispatch
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler soap_message_body_based_dispatcher within the phase Dispatch
[Thu May 16 12:17:59 2013] [debug] soap_body_disp.c(231) Checking for operation using SOAP messagebody's first child's local name : ve_traba__request
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler soap_action_based_dispatcher within the phase Dispatch
[Thu May 16 12:17:59 2013] [debug] soap_action_disp.c(115) Checking for operation using SOAPAction : ve_traba
[Thu May 16 12:17:59 2013] [debug] soap_action_disp.c(146) Operation found using SOAPAction
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler dispatch_post_conditions_evaluator within the phase PostDispatch
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler context_handler within the phase PostDispatch
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler RampartInHandler within the phase Security
[Thu May 16 12:17:59 2013] [debug] rampart_util.c(32) [rampart]Trying to load module /informix/AXIS2C/samples/lib/rampartc/libpwcb.so
[Thu May 16 12:17:59 2013] [debug] class_loader.c(140) /informix/AXIS2C/samples/lib/rampartc/libpwcb.so shared lib loaded successfully
[Thu May 16 12:17:59 2013] [debug] rampart_util.c(48) [rampart]Successfully loaded module /informix/AXIS2C/samples/lib/rampartc/libpwcb.so
[Thu May 16 12:17:59 2013] [debug] rampart_sec_header_processor.c(1815) [rampart]Processing security header in Strict layout
[Thu May 16 12:17:59 2013] [debug] rampart_sec_header_processor.c(1824) [rampart]Processing security header element (null)
[Thu May 16 12:17:59 2013] [error] rampart_sec_header_processor.c(1908) [rampart]Unknown security header (null)
[Thu May 16 12:17:59 2013] [error] rampart_sec_header_processor.c(1915) [rampart](null) processing failed
[Thu May 16 12:17:59 2013] [error] rampart_in_handler.c(143) [rampart][rampart_in_handler] Security Header processing failed.
[Thu May 16 12:17:59 2013] [error] phase.c(233) Handler RampartInHandler invoke failed within phase Security
[Thu May 16 12:17:59 2013] [error] engine.c(696) Invoking phase Security failed
[Thu May 16 12:17:59 2013] [error] engine.c(279) Invoking operation specific phases failed for operation ve_traba
[Thu May 16 12:17:59 2013] [debug] phase.c(210) Invoke the handler RampartOutHandler within the phase MessageOut
[Thu May 16 12:17:59 2013] [debug] rampart_handler_util.c(247) [rampart][rhu] Service is NULL. Check if the security is enabled in the Conf
[Thu May 16 12:17:59 2013] [error] rampart_engine.c(159) [rampart][rampart_engine] Cannot get saved rampart_context
[Thu May 16 12:17:59 2013] [error] rampart_out_handler.c(136) [rampart][rampart_out_handler] ramaprt_context creation failed.
[Thu May 16 12:17:59 2013] [error] phase.c(233) Handler RampartOutHandler invoke failed within phase MessageOut
[Thu May 16 12:17:59 2013] [error] engine.c(696) Invoking phase MessageOut failed
[Thu May 16 12:17:59 2013] [info]  Request served in 0.019 seconds
[Thu May 16 12:18:00 2013] [info]  Received signal SIGINT. Server shutting down
[Thu May 16 12:18:00 2013] [info]  Terminating HTTP server thread
[Thu May 16 12:18:00 2013] [debug] http_svr_thread.c(181) Terminating HTTP server thread.
[Thu May 16 12:18:00 2013] [info]  Successfully terminated  HTTP server thread
[Thu May 16 12:18:00 2013] [info]  Shutdown complete ...
1
soapws-securityrampartusernametokenaxis2c

1 Answers

1
votes

Finally found out what happened. Apparently, SoapUI removes the Security headers before submitting; hence, the (null) Security Header message.

To specify the security headers, I need to doubleclick on the project, click on the "WS-Security Configurations", add an Outgoing WS-Security Configuration, and add a Username entry to that config.

Later, on the request, on the bottom left, I click the "..." button corresponding to the Authentication and Security settings, and under "Outgoing WSS:" choose the Configuration that I just added.

After doing this, the soapfault changes to wsse:InvalidSecurityToken, the description reading "Username Token not expected". So this means I need to fix the rampart/c configuration. But at least now I know what's going on.