Authenticating a WS-Security UsernameToken against a GlassFish realm gives "Authentication refused"

Haakon picture Haakon · Aug 19, 2011 · Viewed 8.9k times · Source

I have a SOAP webservice declared using @WebService in an EJB subproject of an EAR running in GlassFish 3.1.1 using its bundled Metro runtime. It's been annotated with the usual @DeclareRoles and @RolesAllowed, on the class level.

I have a WSIT descriptor for authentication using a simple plaintext-password UsernameToken.

In the EAR's glassfish-application.xml, I specify the realm as the standard file realm that comes with GlassFish. To this realm I have added a user for testing, belonging to a specific group. This group is mapped to the role I specified in glassfish-ejb-jar.xml.

I also enabled the Security Manager in GlassFish, as well as auditing. I restarted the server after doing this.

I have generated a client and set the username and password in callback handlers. I log to make sure the credentials are indeed set. I have also tried to set the credentials like this:

Map<String, Object> requestContext = ((BindingProvider)port).getRequestContext();
requestContext.put(BindingProvider.USERNAME_PROPERTY, "myUsername");
requestContext.put(BindingProvider.PASSWORD_PROPERTY, "myPassword");

When I call the service, I get this on the server:

INFO: SEC5046: Audit: Authentication refused for [myUsername].
INFO: SEC1201: Login failed for user: myUsername
SEVERE: WSS1408: UsernameToken Authentication Failed
SEVERE: WSITPVD0035: Error in Verifying Security in Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: Authentication of Username Password Token Failed
    at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:158)
    at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:164)
    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:341)
    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:275)
    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:225)
    at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:586)
    at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:360)
    at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:263)
    at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:173)
    at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:144)
    at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
    at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
    at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
    at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
    at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
    at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314)
    at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:608)
    at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:259)
    at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:162)
    at org.glassfish.webservices.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:120)
    at org.glassfish.webservices.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:91)
    at org.glassfish.webservices.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:200)
    at org.glassfish.webservices.EjbWebServiceServlet.service(EjbWebServiceServlet.java:131)
    (Rest is snipped away)

and I get this on the client:

Authentication of Username Password Token Failed
javax.xml.ws.soap.SOAPFaultException: Authentication of Username Password Token Failed
    at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189)
    at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189)
    at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
    at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)

I then created a simple servlet/JSP project and added a security restriction on the realm. Authentication using the same user works in this case.

The WS-Security policy looks like this:

  <ns1:Policy xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/09/policy" wsu:Id="MyServicePortBindingPolicy">
    <ns1:ExactlyOne>
      <ns1:All>
    <ns2:SupportingTokens xmlns:ns2="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <ns1:Policy>
        <ns1:ExactlyOne>
          <ns1:All>
        <ns2:UsernameToken ns2:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
          <ns1:Policy>
            <ns1:ExactlyOne>
              <ns1:All>
            <ns2:WssUsernameToken10 />
              </ns1:All>
            </ns1:ExactlyOne>
          </ns1:Policy>
        </ns2:UsernameToken>
          </ns1:All>
        </ns1:ExactlyOne>
      </ns1:Policy>
    </ns2:SupportingTokens>
    <ns3:UsingAddressing xmlns:ns3="http://www.w3.org/2006/05/addressing/wsdl" />
      </ns1:All>
    </ns1:ExactlyOne>
  </ns1:Policy>

What's going wrong here? Any suggestions highly appreciated.

Answer

Haakon picture Haakon · Aug 22, 2011

This solved itself when I disabled my own homebaked programmatic authentication mechanism, which threw a disruptive exception. Can't believe that didn't strike me before.