0
I have a Spring-Boot project that produces a SOAP web service. I configure it to use WS-Security (Wss4jSecurityInterceptor). The users are being loaded from database (MySQL) using JdbcUserDetailsManager. Furthermore I encrypt the user password using BCryptPasswordEncoder.
But when I try to consume the web service I get "The security token could not be authenticated or authorized; nested exception is org.apache.wss4j.common.ext.WSSecurityException: The security token could not be authenticated or authorized".
I know that Spring-Boot is trying compare plain text password with encrypt password at the data base. When I save the password on plain text in the data base it work!
I don't know why, but password encoder work over a WebSecurityConfigurerAdapter project. I am working over a WsConfigurerAdapter project according to https://spring.io/guides/gs/producing-web-service/.
How do I configure password encoder over WS-Security with Spring-Boot?
Run command:
mvn -P dev spring-boot:run -Dspring-boot.run.profiles=dev
Github project: https://github.com/saenzemiliano/spring-boot-example-ws-wss.git
Web service location http://localhost:8080/sample/ws/countries
Web service invocation
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gs="http://spring.io/guides/gs-producing-web-service">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken-D3BE54CA98BF76B3BF15548134030756">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">secret</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<gs:getCountryRequest>
<gs:name>Uruguay</gs:name>
</gs:getCountryRequest>
</soapenv:Body>
</soapenv:Envelope>
Web service result
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Client</faultcode>
<faultstring xml:lang="en">The security token could not be authenticated or authorized; nested exception is org.apache.wss4j.common.ext.WSSecurityException: The security token could not be authenticated or authorized</faultstring>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Comment From: snicoll
Thanks for reaching out and sharing a sample but this issue tracker is not the right place to ask. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question on StackOverflow (so that other people can find it).
If this turns out to be a bug, the Spring Security or Spring WS projects would be a better candidate anyway.
Comment From: saenzemiliano
It is not posible, org.apache.wss4j.* doesn't support password encoding. UsernameTokenValidator.java compare original password with candidate password using equal(...).
BUUUUUUTTTT!!!! You can implement another UsernameTokenValidator and set it at Wss4jSecurityInterceptor. My implementation (AppUsernameTokenValidator) is based on UsernameTokenValidator.java
Wss4jSecurityInterceptor configuration:
@Bean
public AbstractWsSecurityInterceptor securityInterceptor(){
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("UsernameToken");
securityInterceptor.setValidationCallbackHandler(securitySpringBootCallbackHandler());
WSSConfig wssConfig = WSSConfig.getNewInstance();
wssConfig.setValidator(WSConstants.USERNAME_TOKEN, AppUsernameTokenValidator.class);
securityInterceptor.setWssConfig(wssConfig);
return securityInterceptor;
}
Comment From: javaHelper
@All - Could you please guide here: https://stackoverflow.com/questions/60260277/could-not-handle-mustunderstand-headers-http-docs-oasis-open-org-wss-2004-01 ?