Basic Auth for SOAP Client Proxy within WebSphere Liberty

1
votes

We are trying to deploy an EAR on WebSphere Liberty which has been running on WebSphere Application Server 7 before. The application calls an external SOAP Service. The WSDL of the service defines a wsp:Policy with http:BasicAuthentication xmlns:http="http://schemas.microsoft.com/ws/06/2004/policy/http"/

After deployment when we send a request to our application, which would trigger that SOAP-call we get an error: 

None of the policy alternatives can be satisfied.

In addition, we get this Warning:

[WARNING ] No assertion builder for type {http://schemas.microsoft.com/ws/06/2004/policy/http}BasicAuthentication registered.

The server.xml file has this feature added:

<feature>wsSecurity-1.1</feature>

The Service Fetching

public IServiceFacade getBasicHttpBindingIServiceFacade() {
        return super.getPort(new QName("http://tempuri.org/", "BasicHttpBinding_IService"), IServiceFacade.class);
    }

We have previously on WAS 7 been setting the Basic Auth as follows:

  IServiceFacade proxy = service.getBasicHttpBindingIServiceFacade();
            Map<String, Object> requestContext = ((BindingProvider) proxy).getRequestContext();
            ((BindingProvider)proxy).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint);

            /* Basic authentication */
            requestContext.put(BindingProvider.USERNAME_PROPERTY, user);
            requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);

The following code has been functional on WAS 7 but is failing on Liberty.

UPDATE 1

The issue here seems to be that we are not able to access the cxf ClientProxy from the internal liberty-provided cxf client dependency. After some digging I found that liberty does not expose these libraries. The only solution being, that I need to exclude the jaxws-2.2 and provide all needed dependencies by myself, but as a result of that, I lose all built in functionality provided by liberty with regards to jax-ws's.

https://developer.ibm.com/answers/questions/236182/how-can-i-access-the-libertys-jaxrs-20-apache-cxf/

UPDATE 2

After providing my own cxf jars and excluding the jaxws-2.2 feature from Liberty. I can now access the HTTPConduit through usiing ClientProxy(proxy).getConduit(). However, now the issue seems to be that CXF does not support the provider: http://schemas.microsoft.com/ws/06/2004/policy/http.

It throws the following error: DEBUG org.apache.cxf.ws.policy.PolicyEngineImpl - Alternative {http://schemas.microsoft.com/ws/06/2004/policy/http}BasicAuthentication is not supported

I have added the following deps to by pom:

    <dependency>
      <groupId>org.apache.cxf</groupId>
      <artifactId>cxf-rt-rs-client</artifactId>
      <version>3.2.0</version>
    </dependency>
    <dependency>
      <groupId>org.apache.cxf</groupId>
      <artifactId>cxf-rt-frontend-jaxws</artifactId>
      <version>3.2.0</version>
    </dependency>
    <dependency>
      <groupId>org.apache.cxf</groupId>
      <artifactId>cxf-rt-transports-http</artifactId>
      <version>3.2.0</version>
    </dependency>
    <dependency>
      <groupId>org.apache.cxf</groupId>
      <artifactId>cxf-rt-ws-security</artifactId>
      <version>3.2.0</version>
    </dependency>

I also tried adding the following, with no luck:

Endpoint endpoint = client.getEndpoint()
endpoint.getOutInterceptors().add(new WSS4JOutInterceptor())

UPDATE 3

After some help from IBM support I was instructed to follow the following link: https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_ws_basicauth.html

We added an ibm-ws-bnd.xml file to our META-INF folder (as per section 4 and below), in addition, we used @WebServiceRef to access the webservice defined in our tags in the xml file. The file looks as such:

<?xml version="1.0" encoding="UTF-8"?>
<webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd"
                 version="1.0">
  <service-ref name="service/servicename">
    <port name="BasicHttpBinding"
          namespace="http://ibm.com/ws/jaxws/transport/security/"
          username="username"
          password="suchwowsecretpassword">
    </port>
  </service-ref>
</webservices-bnd>

Usign @WebServiceRef, I am getting back the service which is instantiated by the ibm-ws-bnd.xml file. However, the Basic Auth WS-policy is still not satisfied. Upon removing that policy assertion, we can see that the external service is failing with a 401-unauthorized error.

In addition, When we inspect the message in our handlerchain, we can see the following:

enter image description here

We can see that both username and pw values are null on the conduit properties. Which (as per my knowledge), should indicate that ibm-ws-bnd is not setting the actual Basic Auth header on our service.

1
httpauthenticationclientjax-wswebsphere-liberty

1 Answers

1
votes

We basically ran into the same problem a while back [1], but unfortunately were not able to solve this.

My suggestion would be to setup the entire SOAP-Client stuff in normal Java-code and not rely on anything from your Application Server, because then you are able to set the Authentication like the following snippet:

HTTPConduit http = (HTTPConduit) client.getConduit(); 
http.getAuthorization().setUserName("user");
http.getAuthorization().setPassword("pass");

Note: We actually did not solve our problem like that; We went for a workaround. Our usage of WebSphere Liberty was limited to the Developers-environment. On our Integration Test, Acceptance and Production-server, we use a 'real' WebSphere Application Server.

Our workaround was start to remove the policy line from the WSDL and not use Basic Authentication in our developers test. The real WebSphere still applies the HTTP Basic Authentication if it is configured to do so, even if the WSDL does not specify the policy anymore.

I hope you will manage to find a appropriate solution.

Cheers, Marco

1: How to setup HTTP Basic Authentication for SOAP Client within WebSphere Liberty

Removing accidental edit