Bug 1021049
| Summary: | Can't define SOAPHandlers in JBossWS configuration to handle SOAP Headers with mustUnderstand | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Chris Dolphy <cdolphy> | ||||||
| Component: | Web Services | Assignee: | Petr Sakař <psakar> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Rostislav Svoboda <rsvoboda> | ||||||
| Severity: | unspecified | Docs Contact: | Russell Dickenson <rdickens> | ||||||
| Priority: | unspecified | ||||||||
| Version: | 6.1.1 | CC: | brian.stansberry, jcacek, myarboro, nobody, psakar, rdickens | ||||||
| Target Milestone: | CR1 | ||||||||
| Target Release: | EAP 6.2.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-12-15 16:19:08 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1021549, 1026992 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Chris Dolphy
2013-10-18 21:08:19 UTC
Created attachment 813910 [details]
testcase
includes my standalone.xml and a test web service. See Readme.md.
verification is blocked by BZ 1021049 Verification is blocked by BZ 1026992 verification failed verification procedure: download EAP download attached testcase cd /home/development/jbossqe/BZ/BZ1021049/ unzip /home/development/artifacts/jboss-eap-6.2.0.CR1.zip export JBOSS_HOME=/home/development/jbossqe/BZ/BZ1021049/jboss-eap-6.2 echo JBOSS_HOME=$JBOSS_HOME $JBOSS_HOME/bin/standalone.sh $JBOSS_HOME/bin/jboss-cli.sh -c '/system-property=org.jboss.ws.cxf.disableHandlerAuthChecks:add(value=true)' $JBOSS_HOME/bin/jboss-cli.sh -c ':reload' $JBOSS_HOME/bin/jboss-cli.sh -c 'shutdown' vi $JBOSS_HOME/standalone/configuration/standalone.xml # add picketlink and testcase security domains # add on line 278 before line with </security-domains> <security-domain name="picketlink-sts" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="users.properties"/> <module-option name="rolesProperties" value="roles.properties"/> </login-module> </authentication> </security-domain> <security-domain name="sts-endpoint" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule" flag="required" module="org.picketlink"> <module-option name="configFile" value="/example-sts-client.properties"/> </login-module> </authentication> </security-domain> #END OF add picketlink and testcase security domains $JBOSS_HOME/bin/standalone.sh git clone https://github.com/picketlink2/picketlink-quickstarts cd picketlink-quickstarts/ git checkout v2.1.6.Final cd ws-trust/picketlink-sts mvn clean package $JBOSS_HOME/bin/jboss-cli.sh -c "deploy target/picketlink-sts-2.1.6.Final-jboss-as7.war" cd ../../../ tar xvf testcase.tar.gz cd testcase/sts-client.war sed -i "s/stsuser/UserA/g" WEB-INF/classes/com/redhat/gss/sts/StsClient.java sed -i "s/RedHat13#/PassA/g" WEB-INF/classes/com/redhat/gss/sts/StsClient.java ant clean deploy curl http://localhost:8080/sts-client/client?name=Kyle Created attachment 822971 [details]
Server log with exception
attached server log with exception thrown during verification
This has taken me hours of debugging... to eventually figure out the verification procedure is actually wrong.
Despite containing a jaxws-handlers-server.xml descriptor with the PL handlers declaration, the com.redhat.gss.sts.TestEndpointImpl does not actually uses it. As a matter of fact, the endpoint does not include a @HandlerChain annotation referencing the handler descriptor, while it uses the jbossws api @EndpointConfig annotation, without specifying a configFile in it. In such case, the configuration is to be read from the webservices subsystem in the AS model.
The original bugzilla description here above actually says "4. Configure web service endpoint config", but that was not included in the verification procedure (I didn't notice it too at first :-/ ). The webservices subsystem in the standalone.xml needs to be modified with something like what follows (not sure about the exact requirements, it's really a PL app configuration):
<endpoint-config name="sts-config">
<pre-handler-chain name="sts-config-chain" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="SAMLAuth" class="org.picketlink.trust.jbossws.handler.WSAuthenticationHandler"/>
<handler name="SAMLHandler" class="org.picketlink.trust.jbossws.handler.SAML2Handler"/>
</pre-handler-chain>
</endpoint-config>
After I did that, I could not reproduce the mustUnderstand header not understood error.
As an additional explanation, the reason for this all is that CXF comes with an interceptor that verifies the headers are actually understood; to achieve that, it scans the current interceptor chain and looks for handlers that are capable of "understanding" headers. In short, that means CXF SOAPHandlerInterceptor instances serving a non-empty JAXWS handler-chain whose handlers return at least an understood header QName. The configuration/verification issue here was preventing an handler chain from being installed in the endpoint, resulting in a interceptor chain without SOAPHandlerInterceptor and hence able to pass the mustUnderstand verification.
To simplify the debugging of situations like this, I'll add a warning message to be printed when a server endpoint configuration is looked up and not found. This is anyway an independent improvement. The bugzilla here should be properly verified regardless of the warning message improvement.
Of course an equivalent approach (to avoid modifying the webservices subsystem) is to actually add a @HandlerChain annotation in the TestEndpointImpl... Verified for EAP 6.2.0.CR1 Verification procedure (fixed version from comment#9 - added endpoint config "sts-config" and fixed username and password in WEB-INF/classes/example-sts-client.properties) cd /home/development/jbossqe/BZ/BZ1021049/ unzip /home/development/artifacts/jboss-eap-6.2.0.CR1.zip export JBOSS_HOME=/home/development/jbossqe/BZ/BZ1021049/jboss-eap-6.2 echo JBOSS_HOME=$JBOSS_HOME $JBOSS_HOME/bin/standalone.sh $JBOSS_HOME/bin/jboss-cli.sh -c '/system-property=org.jboss.ws.cxf.disableHandlerAuthChecks:add(value=true)' $JBOSS_HOME/bin/jboss-cli.sh -c ':reload' $JBOSS_HOME/bin/jboss-cli.sh -c 'shutdown' vi $JBOSS_HOME/standalone/configuration/standalone.xml # add picketlink and testcase security domains # add on line 278 before line with </security-domains> <security-domain name="picketlink-sts" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="users.properties"/> <module-option name="rolesProperties" value="roles.properties"/> </login-module> </authentication> </security-domain> <security-domain name="sts-endpoint" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule" flag="required" module="org.picketlink"> <module-option name="configFile" value="/example-sts-client.properties"/> </login-module> </authentication> </security-domain> # add below line ? <subsystem xmlns="urn:jboss:domain:webservices:1.2"> <endpoint-config name="sts-config"> <pre-handler-chain name="sts-config-chain" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM"> <handler name="SAMLAuth" class="org.picketlink.trust.jbossws.handler.WSAuthenticationHandler"/> <handler name="SAMLHandler" class="org.picketlink.trust.jbossws.handler.SAML2Handler"/> </pre-handler-chain> </endpoint-config> #END OF add picketlink and testcase security domains $JBOSS_HOME/bin/standalone.sh git clone https://github.com/picketlink2/picketlink-quickstarts cd picketlink-quickstarts/ git checkout v2.1.6.Final cd ws-trust/picketlink-sts mvn clean package $JBOSS_HOME/bin/jboss-cli.sh -c "deploy target/picketlink-sts-2.1.6.Final-jboss-as7.war" cd ../../../ tar xvf testcase.tar.gz cd testcase/sts-client.war # fix username and password used for picketlink STS authentication sed -i "s/stsuser/UserA/g" WEB-INF/classes/com/redhat/gss/sts/StsClient.java sed -i "s/RedHat13#/PassA/g" WEB-INF/classes/com/redhat/gss/sts/StsClient.java sed -i "s/username=sts/username=UserA/g" WEB-INF/classes/example-sts-client.properties sed -i "s/RedHat13#/PassA/g" WEB-INF/classes/example-sts-client.properties ant clean deploy curl http://localhost:8080/sts-client/client?name=Kyle The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |