How to enable UsernameToken WS-Security in WebSphere Liberty

0
votes

I want to know how to enable WS-Security in WebSphere Liberty

I have created a user(soa_user) and user group(soa_group) in my server.xml in Liberty profile. All the features mentioned bellow are successfully installed.

server.xml

<server description="new server">
  <!-- Enable features -->
  <featureManager>
    <feature>javaee-7.0</feature>
    <feature>jdbc-4.1</feature>
    <feature>localConnector-1.0</feature>
    <feature>ssl-1.0</feature>
    <feature>servlet-3.1</feature>
    <feature>wsSecurity-1.1</feature>
    <feature>appSecurity-2.0</feature>
    <feature>jaxws-2.2</feature>
  </featureManager>
  <keyStore id="defaultKeyStore" password="yourPassword" />
  <basicRegistry id="basic" realm="Authentication">
    <user name="soa_user" password="testUserPassword" />
     <group name="soa_group">
         <member name="soa_user" />
     </group>
  </basicRegistry>
  <httpEndpoint host="*" httpPort="8080" httpsPort="9443" id="defaultHttpEndpoint" />
  .....
</server>

I have two modules where one is for generating the EAR(ABCServiceEAR) file and other is the SOAPService(ABCSOAPService)

In ABCSOAPService under src\main\webapp\WEB-INF\web.xml I have created a user role as bellow

  <security-role id="security_role_1">
    <role-name>authenticated-user</role-name>
  </security-role>

In ABCServiceEAR under resources\META-INF\ibm-application-bnd.xml I have assigned above user role to the group I created in liberty server.xml

<security-role name="authenticated-user">
        <group name="soa_group" />
    </security-role>

My goal is to check whether this user is authenticated from service endpoint implementation class as bellow

@javax.jws.WebService (endpointInterface="...",
        targetNamespace="...",
        serviceName="ABCService_1_0", portName="ABCServicePort_1_0",
        wsdlLocation="WEB-INF/wsdl/ABCSOAPService.wsdl")
@HandlerChain(file = "/handlers.xml")
@DeclareRoles({ "authenticated-user" })
public class ABCSOAPServiceImpl implements ABCSOAPService {

    @Resource
    private WebServiceContext wsContext; 

public void myMethod() {
        if (!wsContext.isUserInRole("authenticated-user")) {
            //do something
        }
    }

My SOAP Header is as bellow

   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-1314D8CB1A76EFB5F614902572284093">
            <wsse:Username>soa_user</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testUserPassword</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">cCdfT/hAg3p4vNwRHP/BMA==</wsse:Nonce>
            <wsu:Created>2017-03-23T08:20:28.409Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>

Response I am getting is bellow

<faultcode>soap:MustUnderstand</faultcode>
         <faultstring>MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.</faultstring>

Even if I set soapenv:mustUnderstand to "0", application is not able to identify the user in service endpoint class(wsContext.getUserPrincipal() is null).

I am new to WS Security,
Can someone please tell me how to achieve this?
What should I add to my WSDL?
Or Is there and way to configure security globally(may be in Liberty profile) without changing WSDL

Update

I have provided ws-security policy(policy attachment) in {ProjectLocation}\src\main\webapp\WEB-INF\policy-attachments-server.xml as bellow. 

<attachments
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
        xmlns:wsp="http://www.w3.org/ns/ws-policy"
        xmlns:wsa="http://www.w3.org/2005/08/addressing"
        xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
        xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
    <wsp:PolicyAttachment wsdlNamespace="com.my-service.sales.servs.MyService">
        <wsp:AppliesTo>
            <wsa:EndpointReference>
                <wsa:Address>http://localhost:9080/sales/servs/MyService_1_0</wsa:Address>
            </wsa:EndpointReference>
        </wsp:AppliesTo>
        <wsp:Policy wsu:Id="UsernameTokenwithPasswordHashoverSSL">
            <wsp:ExactlyOne>
                <wsp:All>
                    <sp:SupportingTokens>
                        <wsp:Policy>
                            <sp:UsernameToken
                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:WssUsernameToken10 />
                                </wsp:Policy>
                            </sp:UsernameToken>
                        </wsp:Policy>
                    </sp:SupportingTokens>
                </wsp:All>
            </wsp:ExactlyOne>
        </wsp:Policy>
    </wsp:PolicyAttachment>
</attachments>

I am still having the same issue.

2
web-serviceswsdlwebsphere-libertyws-securityusernametoken

2 Answers

1
votes

You will need attach ws-security policy in your service. You can either add ws-security policy inside WSDL, or create policy attachment file in web-inf directory (http://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_dep_policyattach.html).

We have policy example and configuration option for your scenario, see https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/cwlp_wssec_utoken.html. You could use the policy in this link, and skip to "Consuming a UsernameToken in a web services provider" for instructions.

0
votes

In policy-attachments-server.xml, use wsp:URI, instead of wsa:EndpointReference